Add Poutine SASL (#2213)

* Change Nix install action to verified Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com> * Integrate poutine Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com> --------- Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com>
2025-10-04 00:02:01 -04:00 · 2025-07-29 11:03:31 -04:00 · 2025-07-29 11:03:31 -04:00 · 01de36c1ec
commit 01de36c1ec
parent 78e2389180
5 changed files with 43 additions and 18 deletions
--- a/.github/workflows/basic.yml
+++ b/.github/workflows/basic.yml
@ -161,10 +161,9 @@ jobs:
    name: Check that Nix flake has correct syntax and can build
    runs-on: ubuntu-latest
    steps:
+      - uses: DeterminateSystems/nix-installer-action@90bb610b90bf290cad97484ba341453bd1cbefea # v19
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
-      - name: Install Nix
-        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72
      - name: Check devShell
        run: nix develop --command echo 
      - name: Check flake syntax
--- a/.github/workflows/commit-to-main.yml
+++ b/.github/workflows/commit-to-main.yml
@ -17,7 +17,7 @@ jobs:
    secrets: inherit

  scorecard:
-    uses: ./.github/workflows/scorecard.yml
+    uses: ./.github/workflows/supplychain.yml
    secrets: inherit
    permissions:
      id-token: write
@ -35,4 +35,4 @@ jobs:
  call-sig-benchmarking:
    uses: ./.github/workflows/sig-bench.yml
    permissions:
-      contents: write
+      contents: write
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -25,7 +25,7 @@ jobs:

  scorecard:
    needs: basic-checks
-    uses: ./.github/workflows/scorecard.yml
+    uses: ./.github/workflows/supplychain.yml
    secrets: inherit
    permissions:
      id-token: write
--- a/.github/workflows/supplychain.yml
+++ b/.github/workflows/supplychain.yml
@ -25,15 +25,15 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          persist-credentials: false

-      - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0
+      - name: "Run ossf scorecard"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
-          results_file: results.sarif
          results_format: sarif
+          results_file: ossf_results.sarif
          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # - you are installing Scorecard on a *private* repository
@ -49,16 +49,42 @@ jobs:
          #     of the value entered here.
          publish_results: true

+      - name: "Run poutine supply chain check"
+        uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2
+        with:
+          format: sarif
+          output: poutine_results.sarif
+          publish_results: true
+
+      - name: Configure as safe directory
+        run: git config --global --add safe.directory /__w/liboqs/liboqs
+
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # pin@v4
+      - name: "Upload poutine artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
-          name: SARIF file
-          path: results.sarif
+          name: Poutine Results SARIF
+          path: poutine_results.sarif
          retention-days: 28
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # pin@v3
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload ossf artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
-          sarif_file: results.sarif
+          name: OSSF Results SARIF
+          path: ossf_results.sarif
+          retention-days: 28
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to poutine to code-scanning"
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3
+        with:
+          sarif_file: poutine_results.sarif
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to ossf to code-scanning"
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3
+        with:
+          sarif_file: ossf_results.sarif
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@ -12,7 +12,7 @@ jobs:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  scorecard:
-    uses: ./.github/workflows/scorecard.yml
+    uses: ./.github/workflows/supplychain.yml
    secrets: inherit
    permissions:
      id-token: write