diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml new file mode 100644 index 0000000..dbcb620 --- /dev/null +++ b/.github/workflows/scorecard.yaml @@ -0,0 +1,86 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Workflow for the OSSF Scorecards Action +# https://github.com/ossf/scorecard-action#installation + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '35 10 * * 4' + push: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: Checkout code + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: Upload artifact + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fd5aed..9d67d88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines. +## 0.33.0 (2023-07-20) + + +### Features + +* Install python libclang 15 in build-debian +* Add OSSF Scorecard GitHub Action + ## 0.32.0 (2023-07-14) diff --git a/images/build-debian/install_apps b/images/build-debian/install_apps index 144e3e4..3313010 100755 --- a/images/build-debian/install_apps +++ b/images/build-debian/install_apps @@ -5,6 +5,7 @@ set -o errexit declare -i VERBOSE=0 declare INSTALL_LOCALE=en_US.UTF-8 +declare -r -i CLANG_VER=15 usage() { local exitval=${1-1} @@ -51,6 +52,7 @@ function install_python() { rm -f /tmp/get-pip.py /usr/bin/python3.9 -m pip --version /usr/bin/python3.9 -m pip install \ + "libclang~=${CLANG_VER}.0" \ "numpy~=1.25" } @@ -84,14 +86,13 @@ function install_misc() { } function install_clang() { - declare -r -i clang_ver=15 curl --silent --fail --show-error --location --remote-name https://apt.llvm.org/llvm.sh chmod +x llvm.sh - ./llvm.sh ${clang_ver} - apt-get --quiet install -y --no-install-recommends libc++-${clang_ver}-dev - update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${clang_ver} 100 - update-alternatives --install /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-${clang_ver} 100 - update-alternatives --install /usr/bin/llvm-profdata llvm-profdata /usr/bin/llvm-profdata-${clang_ver} 100 + ./llvm.sh ${CLANG_VER} + apt-get --quiet install -y --no-install-recommends libc++-${CLANG_VER}-dev + update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${CLANG_VER} 100 + update-alternatives --install /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-${CLANG_VER} 100 + update-alternatives --install /usr/bin/llvm-profdata llvm-profdata /usr/bin/llvm-profdata-${CLANG_VER} 100 rm -f llvm.sh clang --version diff --git a/tests/data/hashes/build-debian b/tests/data/hashes/build-debian index 3f66372..f0b26b9 100644 --- a/tests/data/hashes/build-debian +++ b/tests/data/hashes/build-debian @@ -1 +1 @@ -826258b167a0563a96e3b7d25299f85fffc2d4d0e566b776d8916c1b6d9af3cf +1d55bc50804233ccec6b9403d815fe2a100f58cf7d45ed6a357a7792db92056c diff --git a/version.txt b/version.txt index 8a0d6d4..7d07a19 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.32.0 \ No newline at end of file +0.33.0 \ No newline at end of file