sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-10-05 00:05:12 -04:00
Code Issues Projects Releases Wiki Activity

Fix code scanning workflow (#2217)

Browse Source 
Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com>
This commit is contained in:
Aiden Fox Ivey 2025-08-18 10:04:02 -04:00 committed by GitHub
parent ec23683647
commit 5f0a5f2b4e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 37 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/pr.yml vendored
View File

@ -28,5 +28,6 @@ jobs:
uses: ./.github/workflows/supplychain.yml uses: ./.github/workflows/supplychain.yml
secrets: inherit secrets: inherit
permissions: permissions:
contents: read
id-token: write id-token: write
security-events: write security-events: write

62
.github/workflows/supplychain.yml vendored
View File

@ -11,7 +11,42 @@ on:
jobs: jobs:
analysis:
poutine_analysis:
name: Poutine supply chain analysis
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
- name: "Run poutine supply chain check"
uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2
with:
format: sarif
output: poutine_results.sarif
publish_results: true
- name: Configure as safe directory (Poutine)
run: git config --global --add safe.directory /__w/liboqs/liboqs
- name: "Upload poutine artifact"
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: Poutine Results SARIF
path: poutine_results.sarif
retention-days: 28
- name: "Upload poutine to code-scanning"
uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3
with:
sarif_file: poutine_results.sarif
scorecard_analysis:
name: Scorecard analysis name: Scorecard analysis
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
@ -49,25 +84,6 @@ jobs:
# of the value entered here. # of the value entered here.
publish_results: true publish_results: true
- name: "Run poutine supply chain check"
uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2
with:
format: sarif
output: poutine_results.sarif
publish_results: true
- name: Configure as safe directory
run: git config --global --add safe.directory /__w/liboqs/liboqs
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload poutine artifact"
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: Poutine Results SARIF
path: poutine_results.sarif
retention-days: 28
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab. # format to the repository Actions tab.
- name: "Upload ossf artifact" - name: "Upload ossf artifact"
@ -77,12 +93,6 @@ jobs:
path: ossf_results.sarif path: ossf_results.sarif
retention-days: 28 retention-days: 28
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to poutine to code-scanning"
uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3
with:
sarif_file: poutine_results.sarif
# Upload the results to GitHub's code scanning dashboard. # Upload the results to GitHub's code scanning dashboard.
- name: "Upload to ossf to code-scanning" - name: "Upload to ossf to code-scanning"
uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3 uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3