Skip to content

Commit

Permalink
GH-Actions: adding security actions and scorecard (kokkos#2192)
Browse files Browse the repository at this point in the history 
Pretty much taking the new files from PR kokkos#2191 and re-creating
it in a clean PR on top of develop with small changes relevant
to our repository.

Cleaning up some workflows to tailor it for our needs
  • Loading branch information
@lucbv
lucbv authored May 2, 2024
1 parent 88ae8f1 commit 2454f8d
Show file tree
Hide file tree
Showing 4 changed files with 219 additions and 0 deletions.
11 changes: 11 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly

- package-ecosystem: pip
directory: /docs
schedule:
interval: weekly
105 changes: 105 additions & 0 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
push:
branches: ["master", "develop", "release-*"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["develop"]
schedule:
- cron: "0 8 * * 0"

permissions: read-all

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit

- name: checkout_kokkos_kernels
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
path: kokkos-kernels

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
with:
languages: c-cpp
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

- name: checkout_kokkos
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
repository: 'kokkos/kokkos'
path: 'kokkos'
ref: '4.3.00'

- name: configure_kokkos
run: |
mkdir -p kokkos/{build,install}
cd kokkos/build
cmake -S ${{github.workspace}}/kokkos \
-B ${{github.workspace}}/kokkos/build \
-D Kokkos_ENABLE_SERIAL=ON \
-D CMAKE_CXX_FLAGS="-Werror" \
-D CMAKE_CXX_STANDARD=17 \
-D Kokkos_ENABLE_COMPILER_WARNINGS=ON \
-D Kokkos_ENABLE_TESTS=OFF \
-D Kokkos_ENABLE_DEPRECATED_CODE_4=OFF \
-D CMAKE_BUILD_TYPE=RELEASE \
-D CMAKE_INSTALL_PREFIX=${{github.workspace}}/kokkos/install
- name: build_and_install_kokkos
working-directory: kokkos/build
run: make -j2 install

- name: configure_kokkos_kernels
run: |
mkdir -p kokkos-kernels/{build,install}
cd kokkos-kernels/build
cmake \
-S ${{github.workspace}}/kokkos-kernels \
-DKokkos_ROOT=${{github.workspace}}/kokkos/install \
-DCMAKE_BUILD_TYPE=RELEASE \
-DCMAKE_CXX_FLAGS="-Wall -Wshadow -pedantic -Werror -Wsign-compare -Wtype-limits -Wignored-qualifiers -Wempty-body -Wuninitialized" \
-DCMAKE_INSTALL_PREFIX=${{github.workspace}}/kokkos-kernels/install \
-DKokkosKernels_ENABLE_TESTS=ON \
-DKokkosKernels_ENABLE_EXAMPLES:BOOL=ON \
-DKokkosKernels_INST_DOUBLE=ON \
-DKokkosKernels_INST_LAYOUTLEFT:BOOL=ON \
-DKokkosKernels_INST_LAYOUTRIGHT:BOOL=OFF \
-DKokkosKernels_INST_OFFSET_INT=ON \
-DKokkosKernels_INST_OFFSET_SIZE_T=OFF
- name: build_kokkos_kernels
working-directory: kokkos-kernels/build
run: make -j2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
with:
category: "/language:c-cpp"
27 changes: 27 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
76 changes: 76 additions & 0 deletions .github/workflows/scorecards.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '0 8 * * 0'
push:
branches: ["develop"]

# Declare default permissions as read only.
permissions: read-all

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
contents: read
actions: read

steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecards on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}

# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
with:
sarif_file: results.sarif

0 comments on commit 2454f8d

Please sign in to comment.