Release 0.33.0 (2023-07-20)

### Features

* Install python libclang 15 in build-debian
* Add OSSF Scorecard GitHub Action

Bug: N/A
Change-Id: I9f5016502175d8d9d00b67637ddec55150ad01e5
GitOrigin-RevId: d90e28c42355570915e6043cc0decf6ec2454913

.github/workflows/scorecard.yaml

@@ -0,0 +1,86 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Workflow for the OSSF Scorecards Action
+# https://github.com/ossf/scorecard-action#installation
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '35 10 * * 4'
+  push:
+    branches:
+    - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: Upload artifact
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## 0.33.0 (2023-07-20)
+
+
+### Features
+
+* Install python libclang 15 in build-debian
+* Add OSSF Scorecard GitHub Action
+
 ## 0.32.0 (2023-07-14)
 
 

images/build-debian/install_apps

@@ -5,6 +5,7 @@ set -o errexit
 
 declare -i VERBOSE=0
 declare INSTALL_LOCALE=en_US.UTF-8
+declare -r -i CLANG_VER=15
 
 usage() {
   local exitval=${1-1}
@@ -51,6 +52,7 @@ function install_python() {
   rm -f /tmp/get-pip.py
   /usr/bin/python3.9 -m pip --version
   /usr/bin/python3.9 -m pip install \
+    "libclang~=${CLANG_VER}.0" \
     "numpy~=1.25"
 }
 
@@ -84,14 +86,13 @@ function install_misc() {
 }
 
 function install_clang() {
-  declare -r -i clang_ver=15
   curl --silent --fail --show-error --location --remote-name https://apt.llvm.org/llvm.sh
   chmod +x llvm.sh
-  ./llvm.sh ${clang_ver}
-  apt-get --quiet install -y --no-install-recommends libc++-${clang_ver}-dev
-  update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${clang_ver} 100
-  update-alternatives --install /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-${clang_ver} 100
-  update-alternatives --install /usr/bin/llvm-profdata llvm-profdata /usr/bin/llvm-profdata-${clang_ver} 100
+  ./llvm.sh ${CLANG_VER}
+  apt-get --quiet install -y --no-install-recommends libc++-${CLANG_VER}-dev
+  update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${CLANG_VER} 100
+  update-alternatives --install /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-${CLANG_VER} 100
+  update-alternatives --install /usr/bin/llvm-profdata llvm-profdata /usr/bin/llvm-profdata-${CLANG_VER} 100
   rm -f llvm.sh
 
   clang --version

tests/data/hashes/build-debian

@@ -1 +1 @@
-826258b167a0563a96e3b7d25299f85fffc2d4d0e566b776d8916c1b6d9af3cf
+1d55bc50804233ccec6b9403d815fe2a100f58cf7d45ed6a357a7792db92056c

version.txt

@@ -1 +1 @@
-0.32.0
+0.33.0