Merge pull request #326 from rsksmart/scorecard

Scorecard

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  # Maintain dependencies for Docker
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/build-push-docker.yml

@@ -4,6 +4,9 @@ on:
     tags:
       - '*'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   GHCR_REPO: "ghcr.io/rsksmart/powpeg-node"
   DOCKERHUB_REPO: "rsksmart/powpeg-node"
@@ -16,15 +19,15 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
 
       - name: Set version
         id: vars
         run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1
         with:
           images: |
             ${{ env.DOCKERHUB_REPO }}
@@ -36,26 +39,26 @@ jobs:
             type=match,pattern=(\w+-\d+)\.\d+\.\d+.*,group=1
       
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1
         with:
           driver: docker
 
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 #v6.9.0
         with:
           context: .
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: RSK_RELEASE=${{ steps.vars.outputs.tag }}
 
       - name: DockerHub login
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: GitHub container registry login
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/build_and_test.yml

@@ -6,22 +6,19 @@ on:
       - master
       - "*-rc"
   pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
+    types: [ opened, synchronize, reopened]
     branches:
       - "**"
 
-permissions:
-  contents: read
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   verify_files:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
 
       - name: Setup
         run: |
@@ -37,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout RSKj repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
         with:
           repository: rsksmart/rskj
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -84,7 +81,7 @@ jobs:
           git switch "$CHECKOUT_REF"
 
       - name: Persist RSKJ
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3
         with:
           name: rskj
           path: rskj
@@ -95,24 +92,24 @@ jobs:
     needs: clone_rskj_repo
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
         with:
           fetch-depth: 0
 
       - name: Setup Java & Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0
         with:
           java-version: '17'
           distribution: 'temurin'
           cache: 'gradle'
 
       - name: Download rskj
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: rskj
           path: rskj
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1
         name: Cache Gradle Wrapper
         id: cache-gradle-wrapper
         with:
@@ -151,7 +148,7 @@ jobs:
           ./gradlew --no-daemon --stacktrace clean build -x test
 
       - name: Persist Build files
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3
         with:
           name: build_files
           path: |
@@ -164,28 +161,28 @@ jobs:
     needs: build_federator_node
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
 
       - name: Setup Java & Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0
         with:
           java-version: '17'
           distribution: 'temurin'
           cache: 'gradle'
 
       - name: Download Build files
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: build_files
           path: ./
 
       - name: Download rskj
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: rskj
           path: rskj
 
-      - uses: actions/cache/restore@v4
+      - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1
         name: Restore Gradle Wrapper
         with:
           path: |
@@ -198,15 +195,15 @@ jobs:
           ./gradlew --no-daemon --stacktrace test
 
       - name: Persist test results for sonar
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3
         with:
           name: test-results
           path: |
             build/test-results/
           retention-days: 7
 
       - name: Persist test reports for sonar
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3
         with:
           name: test-reports
           path: |
@@ -218,28 +215,28 @@ jobs:
     needs: build_federator_node
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
 
       - name: Setup Java & Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0
         with:
           java-version: '21'
           distribution: 'temurin'
           cache: 'gradle'
 
       - name: Download Build files
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: build_files
           path: ./
 
       - name: Download rskj
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: rskj
           path: rskj
 
-      - uses: actions/cache/restore@v4
+      - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1
         name: Restore Gradle Wrapper
         with:
           path: |
@@ -256,38 +253,38 @@ jobs:
     needs: federator-tests-java17
     steps:
       - name: Download Build files
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: build_files
 
       - name: Download rskj
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: rskj
           path: rskj
 
       - name: Download test results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: test-results
           path: |
             build/test-results/
 
       - name: Download test reports
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: test-reports
           path: |
             build/reports/
 
       - name: Setup Java & Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0
         with:
           java-version: '17'
           distribution: 'temurin'
           cache: 'gradle'
 
-      - uses: actions/cache/restore@v4
+      - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1
         name: Restore Gradle Wrapper
         with:
           path: |

.github/workflows/codeql.yml

@@ -0,0 +1,91 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master", "*-rc" ]
+  pull_request:
+    branches: [ "master", "*-rc" ]
+  schedule:
+    - cron: "0 0 * * *"
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ java ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+
+      - name: Setup Java JDK
+        if: ${{ matrix.language == 'java' }}
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Checkout RSKj repo
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        with:
+          repository: rsksmart/rskj
+          token: ${{ secrets.GITHUB_TOKEN }}
+          path: rskj
+          fetch-depth: 0
+
+      - name: Check out appropriate rskj reference
+        if: ${{ matrix.language == 'java' }}
+        working-directory: rskj
+        env:
+          CHECKOUT_REF: ${{ github.head_ref }}
+        run: |
+          git switch "$CHECKOUT_REF"
+
+      - name: Set DONT-COMMIT-settings.gradle
+        if: ${{ matrix.language == 'java' }}
+        run: |
+          cat <<'EOF' >DONT-COMMIT-settings.gradle
+          includeBuild('./rskj') {
+            dependencySubstitution {
+              all { DependencySubstitution dependency ->
+                if (dependency.requested instanceof ModuleComponentSelector
+                    && dependency.requested.group == 'co.rsk'
+                    && dependency.requested.module == 'rskj-core'
+                    && (dependency.requested.version.endsWith('SNAPSHOT') || dependency.requested.version.endsWith('RC'))) {
+                  def targetProject = project(":${dependency.requested.module}")
+                  if (targetProject != null) {
+                    println('---- USING LOCAL ' + dependency.requested.displayName + ' PROJECT ----')
+                    dependency.useTarget targetProject
+                  }
+                }
+              }
+            }
+          }
+          EOF
+  
+      - name: Before Index (java)
+        if: ${{ matrix.language == 'java' }}
+        run: ./configure.sh
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13
+        with:
+          category: "/language:${{ matrix.language }}"