ci: address OSSF Scorecard warnings #243
Conversation
|
CLA Assistant Lite bot ✅ All required contributors have signed the F5 CLA for this PR. Thank you! |
alessfg
force-pushed
the
scorecard-tweaks
branch
3 times, most recently
from
d2f55a6
to
ba9e0b3
Compare
|
recheck |
* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around * remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot * hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json`
|
I have hereby read the F5 CLA and agree to its terms |
|
recheck |
alessfg
added
dependencies
| @@ -1,4 +1,4 @@ | |||
| FROM nginxinc/nginx-s3-gateway | |||
| FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4 | |||
There was a problem hiding this comment.
same comment. Also why is this one so long?
There was a problem hiding this comment.
The three examples here already pull the image from Docker Hub so including the latest available SHA should be ok?
| @@ -1,3 +1,3 @@ | |||
| FROM nginxinc/nginx-s3-gateway | |||
| FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4 | |||
There was a problem hiding this comment.
Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA
There was a problem hiding this comment.
See previous comment
There was a problem hiding this comment.
So this just presents a bit of a maintenance issue since we'll have to periodically update these to make sure they don't reference a super old version. Let's leave the SHAs in for now since these have not been tested in a while anyway. I'll add a note in some of the organizational changes we make later to remind folks to update.
There was a problem hiding this comment.
Dependabot should hopefully take care of Docker SHA updates! 😁
| @@ -1,4 +1,4 @@ | |||
| FROM nginxinc/nginx-s3-gateway | |||
| FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4 | |||
There was a problem hiding this comment.
Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA
There was a problem hiding this comment.
See previous comment
both the Scorecard and the S3 gateway build actions could use from both: * being able to run the workflow on demand * running the workflow once a week in case there's been no new builds/PRs in the last week
alessfg
changed the title
alessfg
changed the title
* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around * remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot * hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json` * ci: add `workflow_dispatch` and cron jobs to both the Scorecard and the S3 gateway build actions be able to run the workflow on demand and run the workflow at least once a week in case there's been no new builds/PRs in the last week
Proposed changes
This PR aims to:
Token-Permissionswarning/low score by moving the F5 CLA GH Action permissions around.Pinned-Dependencieswarning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot.Vulnerabilitieswarning/low score by recreatingpackage-lock.json.workflow_dispatchandcronbuilds to the OSSF Scorecard and S3 Gateway GitHub Actions in order to more proactively test changes (and to ensure that the pipelines run at minimum once a week).Checklist
Before creating a PR, run through this checklist and mark each as complete:
README.md).