From eca0a6db17d3983c75e6895bf88d29892cea50b8 Mon Sep 17 00:00:00 2001 From: Anni Piragauta Date: Mon, 21 Oct 2024 08:55:15 -0500 Subject: [PATCH] feature: security policy scoreboard --- .github/workflows/dependabot.yml | 7 +++++ .github/workflows/scorecard.yml | 47 ++++++++++++++++++++++++++++++++ README.md | 2 ++ tests/unit/SatoshiBig.spec.ts | 1 - 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/dependabot.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml new file mode 100644 index 00000000..52ded593 --- /dev/null +++ b/.github/workflows/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..262a7a04 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/README.md b/README.md index 3a63382a..876ee4d1 100644 --- a/README.md +++ b/README.md @@ -62,3 +62,5 @@ To report a vulnerability, please use the [vulnerability reporting guideline](./ ## Adding your own wallet for pegin To know how to add your own wallet in the pegin page, visit [how to add new wallet, step by step](./WALLET.md) for details on how to do it. + +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rsksmart/2wp-app/badge)](https://scorecard.dev/viewer/?uri=github.com/rsksmart/2wp-app) \ No newline at end of file diff --git a/tests/unit/SatoshiBig.spec.ts b/tests/unit/SatoshiBig.spec.ts index bb18a811..4b6f41c2 100644 --- a/tests/unit/SatoshiBig.spec.ts +++ b/tests/unit/SatoshiBig.spec.ts @@ -58,7 +58,6 @@ describe('SatoshiBig', () => { expect(sb1.toBTCString()).toEqual('0.00000000'); expect(sb1.toBTCStringNotZeroPadded()).toEqual('0'); }); - it('should return an instance of SatoshiBig from a WeiBig instance rounded up', () => { const weiToTest = new WeiBig('5301364444000000', 'wei'); const weiToTest2 = new WeiBig('8101341211956000', 'wei');