From 14fb8c26627b321154034ea2be7e67e988c48681 Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 14:16:26 +0300 Subject: [PATCH 1/3] Add security-gates workflow and update README --- .github/workflows/security-gates.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/security-gates.yml diff --git a/.github/workflows/security-gates.yml b/.github/workflows/security-gates.yml new file mode 100644 index 0000000..69c3aad --- /dev/null +++ b/.github/workflows/security-gates.yml @@ -0,0 +1,21 @@ +name: Security Gates + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Validate Workflow + run: echo "Validation successful" + + security-gates: + uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master + permissions: + actions: read + contents: read + security-events: write From 341ce71f0a4ae390b34b6a0a14bb18026f0a08fc Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 14:16:27 +0300 Subject: [PATCH 2/3] Add security-gates workflow and update README --- .github/workflows/scorecard.yml | 64 +++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..4628d7f --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,64 @@ + +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '29 23 * * 3' + push: + branches: [ "main", "master"] + pull_request: + branches: ["main", "master"] + +permissions: read-all + +jobs: + visibility-check: + # Bu job, deponun public/private olduğunu belirler + outputs: + visibility: ${{ steps.drv.outputs.visibility }} + runs-on: ubuntu-latest + steps: + - name: Determine repository visibility + id: drv + run: | + visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility') + echo "visibility=$visibility" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ github.token }} + + analysis: + if: ${{ needs.visibility-check.outputs.visibility == 'public' }} + needs: visibility-check + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + with: + sarif_file: results.sarif + + From 032d8f52044d5bc9bd602bdd616dbd65bda2de92 Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 14:16:28 +0300 Subject: [PATCH 3/3] Add security-gates workflow and update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 894a86b..f99b380 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ + +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/android-ui-components/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/android-ui-components) UI Components for Android by Trendyol Android team.