From 3194ba92ec0a1a5a390938c70b00514d89c7768b Mon Sep 17 00:00:00 2001 From: Alex Nelson Date: Fri, 15 Nov 2024 11:21:12 -0500 Subject: [PATCH] Add nightly supply chain review Signed-off-by: Alex Nelson --- .github/workflows/supply-chain.yml | 49 ++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/supply-chain.yml diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml new file mode 100644 index 0000000..4de8e0e --- /dev/null +++ b/.github/workflows/supply-chain.yml @@ -0,0 +1,49 @@ +# Portions of this file contributed by NIST are governed by the +# following statement: +# +# This software was developed at the National Institute of Standards +# and Technology by employees of the Federal Government in the course +# of their official duties. Pursuant to Title 17 Section 105 of the +# United States Code, this software is not subject to copyright +# protection within the United States. NIST assumes no responsibility +# whatsoever for its use by other parties, and makes no guarantees, +# expressed or implied, about its quality, reliability, or any other +# characteristic. +# +# We would appreciate acknowledgement if the software is used. + +# This workflow uses Make to review direct dependencies of this +# repository. + +name: Supply Chain + +on: + schedule: + - cron: '15 5 * * 1,2,3,4,5' + +jobs: + build: + + runs-on: ubuntu-latest + strategy: + matrix: + python-version: + - '3.9' + - '3.12' + + steps: + - uses: actions/checkout@v4 + with: + # This enables supply chain review against only a selected + # branch. For those using the "Git-Flow" style of branching, + # the ref value should be 'develop', so an upstream dependency + # only relevant for, say, code formatting does not need to + # induce a new commit on 'main', or a release. + # https://cyberdomainontology.org/ontology/development/#branching-cdo-git-flow + ref: develop + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + - name: Review dependencies + run: make check-supply-chain