Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore: add new GH policy requirements #24

Merged
merged 4 commits into from
Oct 7, 2024
Merged

chore: add new GH policy requirements #24

merged 4 commits into from
Oct 7, 2024

Conversation

Luisfc68
Copy link
Collaborator

@Luisfc68 Luisfc68 commented Oct 2, 2024

What

  • Added dependabot config
  • Added dependency review action
  • Added scorecard action
  • Replace tags by commit hashes in actions
  • Replaced husky by pre commit
  • Added contributing and security files
  • Add GH action to run unit tests

Why

In order to be compliant with the organization's GH policy

Task

https://rsklabs.atlassian.net/browse/GBI-2136

Important

The BBP for this repo is not live yet, I think we should wait until it is to merge this PR

@Luisfc68 Luisfc68 merged commit de824d8 into main Oct 7, 2024
4 checks passed
diego-jeronymo
diego-jeronymo reviewed Oct 8, 2024
View reviewed changes
.github/workflows/ci.yml
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0

.github/workflows/dependency-review.yml
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0

.github/workflows/scorecard.yml

steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0

.github/workflows/scorecard.yml
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the updated version 2.4.0
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0

more details: https://github.com/ossf/scorecard-action/releases

.github/workflows/scorecard.yml
publish_results: true

- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the last updated stable version 2.4.0
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
more details: https://github.com/actions/upload-artifact/releases

.github/workflows/scorecard.yml
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the last updated stable version 3.26.9
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9

.github/workflows/slither.yml
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0

.github/workflows/slither.yml
id: slither
with:
sarif: results.sarif
fail-on: none
target: contracts/

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@85b07cf1e13dd512be7c27c37a33c5864c252fcc # v2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the last updated stable version 3.26.9
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@diego-jeronymo diego-jeronymo diego-jeronymo left review comments

@MaximStanciu8 MaximStanciu8 MaximStanciu8 approved these changes

@gsoares85 gsoares85 Awaiting requested review from gsoares85

@Dominikkq Dominikkq Awaiting requested review from Dominikkq

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Luisfc68 @MaximStanciu8 @diego-jeronymo