Skip to content

common: Add OpenSSF Scorecard gating workflow #80

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cgwalters merged 1 commit into from
Jan 15, 2026
Merged

common: Add OpenSSF Scorecard gating workflow #80

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions common/.github/workflows/openssf-scorecard-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Gate PRs on OpenSSF Scorecard regressions.
#
# See also: https://github.com/ossf/scorecard/issues/1270
name: OpenSSF Scorecard

on:
pull_request:
branches:
- main

permissions:
contents: read

jobs:
scorecard:
name: Scorecard
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Check for regressions
uses: bootc-dev/actions/openssf-scorecard@main
with:
base-sha: ${{ github.event.pull_request.base.sha }}
head-sha: ${{ github.event.pull_request.head.sha }}
50 changes: 0 additions & 50 deletions common/.github/workflows/openssf-scorecard.yml
View file
Open in desktop

This file was deleted.

19 changes: 19 additions & 0 deletions devenv/Containerfile.c10s
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# These aren't packages, just low-dependency binaries dropped in /usr/local/bin
# so we can fetch them independently in a separate build.
ARG base=quay.io/centos/centos:stream10
FROM $base as base

Check warning on line 4 in devenv/Containerfile.c10s

View workflow job for this annotation

GitHub Actions / build (c10s, arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 4 in devenv/Containerfile.c10s

View workflow job for this annotation

GitHub Actions / build (c10s, amd64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
# Life is too short to care about dash
RUN ln -sfr /bin/bash /bin/sh
RUN <<EORUN
Expand All @@ -25,11 +25,13 @@
dnf -y makecache
EORUN

FROM base as tools

Check warning on line 28 in devenv/Containerfile.c10s

View workflow job for this annotation

GitHub Actions / build (c10s, arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 28 in devenv/Containerfile.c10s

View workflow job for this annotation

GitHub Actions / build (c10s, amd64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
# renovate: datasource=github-releases depName=block/goose
ARG gooseversion=v1.11.1
# renovate: datasource=github-releases depName=bootc-dev/bcvk
ARG bcvkversion=v0.9.0
# renovate: datasource=github-releases depName=ossf/scorecard
ARG scorecardversion=v5.1.1
RUN <<EORUN
set -xeuo pipefail
arch=$(arch)
Expand Down Expand Up @@ -58,9 +60,26 @@
else
echo bcvk unavailable for $arch
fi

# scorecard (OpenSSF security scanner)
td=$(mktemp -d)
(
cd $td
# Map arch to scorecard naming convention
case "${arch}" in
x86_64) scarch=amd64 ;;
aarch64) scarch=arm64 ;;
*) echo "scorecard unavailable for $arch"; exit 0 ;;
esac
target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
/bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
tar xvzf $target
mv scorecard /usr/local/bin/scorecard
)
rm -rf $td
EORUN

FROM base as rust

Check warning on line 82 in devenv/Containerfile.c10s

View workflow job for this annotation

GitHub Actions / build (c10s, arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 82 in devenv/Containerfile.c10s

View workflow job for this annotation

GitHub Actions / build (c10s, amd64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
RUN <<EORUN
set -xeuo pipefail
# Setup rust; the idea here though is we install system-wide into /usr/local
Expand Down
19 changes: 19 additions & 0 deletions devenv/Containerfile.debian
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# These aren't packages, just low-dependency binaries dropped in /usr/local/bin
# so we can fetch them independently in a separate build.
ARG base=docker.io/library/debian:sid
FROM $base as base

Check warning on line 4 in devenv/Containerfile.debian

View workflow job for this annotation

GitHub Actions / build (debian, arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 4 in devenv/Containerfile.debian

View workflow job for this annotation

GitHub Actions / build (debian, amd64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
# Life is too short to care about dash
RUN ln -sfr /bin/bash /bin/sh
RUN <<EORUN
Expand All @@ -25,11 +25,13 @@
apt -y update
EORUN

FROM base as tools

Check warning on line 28 in devenv/Containerfile.debian

View workflow job for this annotation

GitHub Actions / build (debian, arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 28 in devenv/Containerfile.debian

View workflow job for this annotation

GitHub Actions / build (debian, amd64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
# renovate: datasource=github-releases depName=block/goose
ARG gooseversion=v1.11.1
# renovate: datasource=github-releases depName=bootc-dev/bcvk
ARG bcvkversion=v0.9.0
# renovate: datasource=github-releases depName=ossf/scorecard
ARG scorecardversion=v5.1.1
RUN <<EORUN
set -xeuo pipefail
arch=$(arch)
Expand All @@ -56,9 +58,26 @@
else
echo bcvk unavailable for $arch
fi

# scorecard (OpenSSF security scanner)
td=$(mktemp -d)
(
cd $td
# Map arch to scorecard naming convention
case "${arch}" in
x86_64) scarch=amd64 ;;
aarch64) scarch=arm64 ;;
*) echo "scorecard unavailable for $arch"; exit 0 ;;
esac
target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
/bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
tar xvzf $target
mv scorecard /usr/local/bin/scorecard
)
rm -rf $td
EORUN

FROM base as rust

Check warning on line 80 in devenv/Containerfile.debian

View workflow job for this annotation

GitHub Actions / build (debian, arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 80 in devenv/Containerfile.debian

View workflow job for this annotation

GitHub Actions / build (debian, amd64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
RUN <<EORUN
set -xeuo pipefail
# Setup rust; the idea here though is we install system-wide into /usr/local
Expand Down
8 changes: 8 additions & 0 deletions renovate-shared-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,14 @@
"matchStrings": [
"# renovate: datasource=(?<datasource>[a-z-]+) depName=(?<depName>[^\\s]+)\\n.*@(?<currentValue>\\S+)"
]
},
// Shell scripts in GHA workflows/actions: Match "# renovate:" followed by VERSION=
{
"customType": "regex",
"managerFilePatterns": ["**/*.yml", "**/*.yaml"],
"matchStrings": [
"# renovate: datasource=(?<datasource>[a-z-]+) depName=(?<depName>[^\\s]+)\\n\\s*VERSION=(?<currentValue>v?\\S+)"
]
}
],
"packageRules": [
Expand Down