diff --git a/.github/workflows/export_github_data.yml b/.github/workflows/export_github_data.yml new file mode 100644 index 0000000..941e3ba --- /dev/null +++ b/.github/workflows/export_github_data.yml @@ -0,0 +1,25 @@ +name: GitHub repository metadata exporter +on: + workflow_dispatch: + schedule: + - cron: "20 7 * * *" + +jobs: + export-data: + runs-on: ubuntu-latest + steps: + - name: Audit DNS requests + uses: cds-snc/dns-proxy-action@main + env: + DNS_PROXY_FORWARDTOSENTINEL: "true" + DNS_PROXY_LOGANALYTICSWORKSPACEID: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} + DNS_PROXY_LOGANALYTICSSHAREDKEY: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Export Data + uses: cds-snc/github-repository-metadata-exporter@main + with: + github-app-id: ${{ secrets.SRE_BOT_RO_APP_ID }} + github-app-installation-id: ${{ secrets.SRE_BOT_RO_INSTALLATION_ID }} + github-app-private-key: ${{ secrets.SRE_BOT_RO_PRIVATE_KEY }} + log-analytics-workspace-id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} + log-analytics-workspace-key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml new file mode 100644 index 0000000..c85904f --- /dev/null +++ b/.github/workflows/ossf-scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecards supply-chain security +on: + workflow_dispatch: + schedule: + # Weekly on Saturdays. + - cron: "30 1 * * 6" + push: + branches: + - main + +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + + steps: + - name: "Checkout code" + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@2fa1e2fa153141e2950c7e1299ed05e2081ead0c + with: + results_file: ossf-results.json + results_format: json + publish_results: false + + - name: "Add metadata" + run: | + full_repo="${{ github.repository }}" + OWNER=${full_repo%/*} + REPO=${full_repo#*/} + jq -c '. + {"metadata_owner": "'$OWNER'", "metadata_repo": "'$REPO'", "metadata_query": "ossf"}' ossf-results.json > ossf-results-modified.json + + - name: "Post results to Sentinel" + uses: cds-snc/sentinel-forward-data-action@main + with: + file_name: ossf-results-modified.json + log_type: GitHubMetadata_OSSF_Scorecard + log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} + log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}