From 09231fe0c2513f9876e7f0f8b43326199546d5b7 Mon Sep 17 00:00:00 2001 From: Tyler Auerbeck Date: Sat, 28 Jun 2025 01:28:03 -0400 Subject: [PATCH 1/2] ci: add link checking Signed-off-by: Tyler Auerbeck --- .github/workflows/link-check.yml | 23 +++++++++++++++++++++++ .lycheeignore | 2 ++ 2 files changed, 25 insertions(+) create mode 100644 .github/workflows/link-check.yml create mode 100644 .lycheeignore diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml new file mode 100644 index 0000000..539bea5 --- /dev/null +++ b/.github/workflows/link-check.yml @@ -0,0 +1,23 @@ +name: link-checker +on: + pull_request: + +permissions: + contents: read + +jobs: + link-check: + name: Check Links + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Check links + uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 #v2.4.1 + with: + fail: true + lycheeVersion: v0.19.1 + args: --verbose --no-progress './**/*.md' + + diff --git a/.lycheeignore b/.lycheeignore new file mode 100644 index 0000000..f545772 --- /dev/null +++ b/.lycheeignore @@ -0,0 +1,2 @@ +#x.com consistently returns a 400 error when run from github actions +x.com/flatcar From bd38ffa5276b12487021858b66383868b9012144 Mon Sep 17 00:00:00 2001 From: Tyler Auerbeck Date: Sat, 28 Jun 2025 20:57:10 -0400 Subject: [PATCH 2/2] add ossf workflow Signed-off-by: Tyler Auerbeck --- .github/workflows/scorecard-analysis.yml | 59 ++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/scorecard-analysis.yml diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml new file mode 100644 index 0000000..3baac66 --- /dev/null +++ b/.github/workflows/scorecard-analysis.yml @@ -0,0 +1,59 @@ +name: Scorecard analysis workflow +on: + push: + # Only the default branch is supported. + branches: + - main + schedule: + # Daily + - cron: '30 1 * * *' + +# based on https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed for Code scanning upload + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + results_file: results.sarif + results_format: sarif + # Scorecard team runs a weekly scan of public GitHub repos, + # see https://github.com/ossf/scorecard#public-data. + # Setting `publish_results: true` helps us scale by leveraging your workflow to + # extract the results instead of relying on our own infrastructure to run scans. + # And it's free for you! + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable + # uploads of run results in SARIF format to the repository Actions tab. + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + - name: "Upload artifact" + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 + with: + sarif_file: results.sarif +