-
Notifications
You must be signed in to change notification settings - Fork 484
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add OpenSSF scorecard, pinned python/gh action dependencies, explicit…
… action permissions #1706 Signed-off-by: Nigel Jones <[email protected]>
- Loading branch information
Showing
13 changed files
with
495 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
colorama==0.4.6 | ||
execnet==2.1.1 | ||
iniconfig==2.0.0 | ||
packaging==24.0 | ||
pluggy==1.4.0 | ||
pytest==8.1.1 | ||
pytest-xdist==3.5.0 | ||
pyyaml==6.0.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
# | ||
# This file is autogenerated by pip-compile with Python 3.12 | ||
# by the following command: | ||
# | ||
# pip-compile --generate-hashes --output-file=requirements_new.txt requirements.txt | ||
# | ||
colorama==0.4.6 \ | ||
--hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \ | ||
--hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6 | ||
# via -r requirements.txt | ||
execnet==2.1.1 \ | ||
--hash=sha256:26dee51f1b80cebd6d0ca8e74dd8745419761d3bef34163928cbebbdc4749fdc \ | ||
--hash=sha256:5189b52c6121c24feae288166ab41b32549c7e2348652736540b9e6e7d4e72e3 | ||
# via | ||
# -r requirements.txt | ||
# pytest-xdist | ||
iniconfig==2.0.0 \ | ||
--hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \ | ||
--hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374 | ||
# via | ||
# -r requirements.txt | ||
# pytest | ||
packaging==24.0 \ | ||
--hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \ | ||
--hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9 | ||
# via | ||
# -r requirements.txt | ||
# pytest | ||
pluggy==1.4.0 \ | ||
--hash=sha256:7db9f7b503d67d1c5b95f59773ebb58a8c1c288129a88665838012cfb07b8981 \ | ||
--hash=sha256:8c85c2876142a764e5b7548e7d9a0e0ddb46f5185161049a79b7e974454223be | ||
# via | ||
# -r requirements.txt | ||
# pytest | ||
pytest==8.1.1 \ | ||
--hash=sha256:2a8386cfc11fa9d2c50ee7b2a57e7d898ef90470a7a34c4b949ff59662bb78b7 \ | ||
--hash=sha256:ac978141a75948948817d360297b7aae0fcb9d6ff6bc9ec6d514b85d5a65c044 | ||
# via | ||
# -r requirements.txt | ||
# pytest-xdist | ||
pytest-xdist==3.5.0 \ | ||
--hash=sha256:cbb36f3d67e0c478baa57fa4edc8843887e0f6cfc42d677530a36d7472b32d8a \ | ||
--hash=sha256:d075629c7e00b611df89f490a5063944bee7a4362a5ff11c7cc7824a03dfce24 | ||
# via -r requirements.txt | ||
pyyaml==6.0.1 \ | ||
--hash=sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5 \ | ||
--hash=sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc \ | ||
--hash=sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df \ | ||
--hash=sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741 \ | ||
--hash=sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206 \ | ||
--hash=sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27 \ | ||
--hash=sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595 \ | ||
--hash=sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62 \ | ||
--hash=sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98 \ | ||
--hash=sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696 \ | ||
--hash=sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290 \ | ||
--hash=sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9 \ | ||
--hash=sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d \ | ||
--hash=sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6 \ | ||
--hash=sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867 \ | ||
--hash=sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47 \ | ||
--hash=sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486 \ | ||
--hash=sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6 \ | ||
--hash=sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3 \ | ||
--hash=sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007 \ | ||
--hash=sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938 \ | ||
--hash=sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0 \ | ||
--hash=sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c \ | ||
--hash=sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735 \ | ||
--hash=sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d \ | ||
--hash=sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28 \ | ||
--hash=sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4 \ | ||
--hash=sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba \ | ||
--hash=sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8 \ | ||
--hash=sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef \ | ||
--hash=sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5 \ | ||
--hash=sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd \ | ||
--hash=sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3 \ | ||
--hash=sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0 \ | ||
--hash=sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515 \ | ||
--hash=sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c \ | ||
--hash=sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c \ | ||
--hash=sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924 \ | ||
--hash=sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34 \ | ||
--hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43 \ | ||
--hash=sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859 \ | ||
--hash=sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673 \ | ||
--hash=sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54 \ | ||
--hash=sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a \ | ||
--hash=sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b \ | ||
--hash=sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab \ | ||
--hash=sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa \ | ||
--hash=sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c \ | ||
--hash=sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585 \ | ||
--hash=sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d \ | ||
--hash=sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f | ||
# via -r requirements.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
name: Scorecard supply-chain security | ||
|
||
permissions: read-all | ||
|
||
on: | ||
# For Branch-Protection check. Only the default branch is supported. See | ||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | ||
branch_protection_rule: # To guarantee Maintained check is occasionally updated. See | ||
|
||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | ||
schedule: | ||
- cron: '29 9 * * 4' | ||
push: | ||
branches: [ "main" ] | ||
pull_request: | ||
|
||
jobs: | ||
analysis: | ||
name: Scorecard analysis | ||
runs-on: ubuntu-latest | ||
permissions: | ||
# Needed to upload the results to code-scanning dashboard. | ||
security-events: write | ||
# Needed to publish results and get a badge (see publish_results below). | ||
id-token: write | ||
# Uncomment the permissions below if installing in a private repository. | ||
# contents: read | ||
# actions: read | ||
|
||
steps: | ||
- name: "Checkout code" | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 | ||
with: | ||
persist-credentials: false | ||
|
||
- name: "Run analysis" | ||
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # [email protected] | ||
with: | ||
results_file: results.sarif | ||
results_format: sarif | ||
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if: | ||
# - you want to enable the Branch-Protection check on a *public* repository, or | ||
# - you are installing Scorecard on a *private* repository | ||
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. | ||
# repo_token: ${{ secrets.SCORECARD_TOKEN }} | ||
|
||
# Public repositories: | ||
# - Publish results to OpenSSF REST API for easy access by consumers | ||
# - Allows the repository to include the Scorecard badge. | ||
# - See https://github.com/ossf/scorecard-action#publishing-results. | ||
# For private repositories: | ||
# - `publish_results` will always be set to `false`, regardless | ||
# of the value entered here. | ||
publish_results: false | ||
|
||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
# format to the repository Actions tab. | ||
- name: "Upload artifact" | ||
uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # pin@v4 | ||
with: | ||
name: SARIF file | ||
path: results.sarif | ||
retention-days: 5 | ||
# Upload the results to GitHub's code scanning dashboard. | ||
#- name: "Upload to code-scanning" | ||
# uses: github/codeql-action/upload-sarif@e949a1676c32f4c215780f7429eb9f00ff18b225 # pin@v2 | ||
# with: | ||
# sarif_file: results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,9 @@ | ||
name: Linux and MacOS tests | ||
|
||
on: [push, pull_request] | ||
permissions: | ||
contents: read | ||
|
||
on: [ push, pull_request ] | ||
|
||
jobs: | ||
|
||
|
@@ -10,7 +13,7 @@ jobs: | |
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Ensure code conventions are upheld | ||
run: python3 -m pytest --verbose tests/test_code_conventions.py | ||
- name: Check that doxygen can parse the documentation | ||
|
@@ -24,21 +27,21 @@ jobs: | |
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Verify copy_from_upstream state | ||
run: | | ||
git config --global user.name "ciuser" && \ | ||
git config --global user.email "[email protected]" && \ | ||
export LIBOQS_DIR=`pwd` && \ | ||
git config --global --add safe.directory $LIBOQS_DIR && \ | ||
cd scripts/copy_from_upstream && \ | ||
! pip3 install -r requirements.txt 2>&1 | grep ERROR && \ | ||
! pip3 install --require-hashes -r requirements.txt 2>&1 | grep ERROR && \ | ||
python3 copy_from_upstream.py copy && \ | ||
! git status | grep modified | ||
buildcheck: | ||
name: Check that code passes a basic build before starting heavier tests | ||
needs: [stylecheck, upstreamcheck] | ||
needs: [ stylecheck, upstreamcheck ] | ||
strategy: | ||
matrix: | ||
include: | ||
|
@@ -53,7 +56,7 @@ jobs: | |
SIG_NAME: dilithium_3 | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Configure | ||
run: | | ||
mkdir build && \ | ||
|
@@ -134,7 +137,7 @@ jobs: | |
image: ${{ matrix.container }} | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Configure | ||
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA .. | ||
- name: Build | ||
|
@@ -149,7 +152,7 @@ jobs: | |
working-directory: build | ||
- name: Retain .deb file | ||
if: matrix.name == 'jammy-std-openssl3' | ||
uses: actions/upload-artifact@v3 | ||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 | ||
with: | ||
name: liboqs-openssl3-shared-x64 | ||
path: build/*.deb | ||
|
@@ -179,7 +182,7 @@ jobs: | |
# CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Install the emulation handlers | ||
run: docker run --rm --privileged multiarch/qemu-user-static:register --reset | ||
- name: Build in an x86_64 container | ||
|
@@ -220,7 +223,7 @@ jobs: | |
CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake -DBUILD_SHARED_LIBS=ON | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Configure | ||
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA .. | ||
- name: Build | ||
|
@@ -232,7 +235,8 @@ jobs: | |
strategy: | ||
fail-fast: false | ||
matrix: | ||
os: # macos-14 runs on aarch64; the others run on x64 | ||
os: | ||
# macos-14 runs on aarch64; the others run on x64 | ||
- macos-12 | ||
- macos-13 | ||
- macos-14 | ||
|
@@ -243,11 +247,15 @@ jobs: | |
- -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF | ||
runs-on: ${{ matrix.os }} | ||
steps: | ||
- name: Install Python | ||
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5 | ||
with: | ||
python-version: '3.12' | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Install dependencies | ||
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --break-system-packages pytest pytest-xdist pyyaml | ||
- name: Patch GCC | ||
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt | ||
- name: Patch GCC | ||
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies [email protected] | ||
- name: Get system information | ||
run: sysctl -a | grep machdep.cpu | ||
|
@@ -267,16 +275,16 @@ jobs: | |
image: openquantumsafe/ci-ubuntu-jammy:latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
- name: Retrieve OpenSSL330 from cache | ||
id: cache-openssl330 | ||
uses: actions/cache@v3 | ||
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3 | ||
with: | ||
path: .localopenssl330 | ||
key: ${{ runner.os }}-openssl330 | ||
- name: Checkout the OpenSSL v3.3.0 commit | ||
if: steps.cache-openssl330.outputs.cache-hit != 'true' | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
with: | ||
repository: 'openssl/openssl' | ||
ref: 'openssl-3.3.0-beta1' | ||
|
@@ -293,7 +301,7 @@ jobs: | |
- name: Save OpenSSL | ||
id: cache-openssl-save | ||
if: steps.cache-openssl330.outputs.cache-hit != 'true' | ||
uses: actions/cache/save@v3 | ||
uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3 | ||
with: | ||
path: | | ||
.localopenssl330 | ||
|
Oops, something went wrong.