Skip to content

Commit

Permalink
chore: introduce repository and project security scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
@muhlba91
muhlba91 committed Oct 24, 2024
1 parent 098f699 commit 29c94a0
Show file tree
Hide file tree
Showing 7 changed files with 154 additions and 22 deletions.
42 changes: 42 additions & 0 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
name: CodeQL

on:
push:
branches:
- main
pull_request:
schedule:
- cron: "0 0 * * 1"

permissions:
contents: read

jobs:
analyze:
runs-on: ubuntu-latest
name: Analyze
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["python"]

steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
languages: ${{ matrix.language }}
- uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0

- uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
category: "/language:${{matrix.language}}"
22 changes: 22 additions & 0 deletions .github/workflows/dependency_review.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
name: Dependency Review

on:
pull_request:

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
name: Dependency Review

steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5
6 changes: 5 additions & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,9 @@ jobs:
pull-requests: write

steps:
- uses: google-github-actions/release-please-action@v4
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
id: release
59 changes: 59 additions & 0 deletions .github/workflows/scorecard.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
name: Scorecard Security

on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '20 7 * * 2'
push:
branches:
- main
workflow_dispatch:

permissions: read-all

jobs:
analysis:
runs-on: ubuntu-latest
name: Scorecard Analysis
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
contents: read
actions: read
# To allow GraphQL ListCommits to work
issues: read
pull-requests: read
# To detect SAST tools
checks: read

steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: Scorecard Analysis
path: results.sarif
retention-days: 5

- uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: results.sarif
33 changes: 17 additions & 16 deletions .github/workflows/verify.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,37 +18,35 @@ jobs:
poetry-version: [1.7.1]

steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Set up Poetry ${{ matrix.poetry-version }}
uses: abatilo/actions-poetry@v3
uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0
with:
poetry-version: ${{ matrix.poetry-version }}

- name: Install dependencies
run: |
python -m pip install --upgrade pip
- run: |
poetry install
- name: Lint files
run: |
- run: |
poetry check
poetry run ruff check .
- name: Run tests
run: |
- run: |
poetry run pytest
poetry run coverage xml
- name: Coveralls
uses: coverallsapp/github-action@v2
- uses: coverallsapp/github-action@4cdef0b2dbe0c9aa26bed48edb868db738625e79 # v2.3.3
with:
file: coverage.xml

Expand All @@ -57,12 +55,15 @@ jobs:
name: Validate HACS

steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: HACS Validation
uses: hacs/action@main
uses: hacs/action@70694a570839431b5c69ff0eba599a213dc7a43b # main
with:
category: integration
13 changes: 8 additions & 5 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ repos:
rev: v0.1.6
hooks:
- id: ruff
args: [ --fix ]
args: [--fix]
- id: ruff-format
- repo: https://github.com/talos-systems/conform
rev: v0.1.0-alpha.27
Expand All @@ -15,15 +15,18 @@ repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
- id: check-json
- id: check-merge-conflict
- id: check-symlinks
- id: check-toml
- id: check-xml
- id: check-yaml
- id: detect-aws-credentials
args: [
"--allow-missing-credentials"
]
args: ["--allow-missing-credentials"]
- id: detect-private-key

- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
[![](https://img.shields.io/github/license/muhlba91/onyx-homeassistant-integration?style=for-the-badge)](LICENSE)
[![](https://img.shields.io/github/actions/workflow/status/muhlba91/onyx-homeassistant-integration/release.yml?style=for-the-badge)](https://github.com/muhlba91/onyx-homeassistant-integration/actions/workflows/release.yml)
[![](https://img.shields.io/coveralls/github/muhlba91/onyx-homeassistant-integration?style=for-the-badge)](https://github.com/muhlba91/onyx-homeassistant-integration/)
[![](https://api.scorecard.dev/projects/github.com/muhlba91/onyx-homeassistant-integration/badge?style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/muhlba91/onyx-homeassistant-integration)
[![hacs_badge](https://img.shields.io/badge/HACS-Default-orange.svg?style=for-the-badge)](https://github.com/custom-components/hacs)
[![](https://img.shields.io/github/all-contributors/muhlba91/onyx-homeassistant-integration?color=ee8449&style=for-the-badge)](#contributors)
<a href="https://www.buymeacoffee.com/muhlba91" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" alt="Buy Me A Coffee" height="28" width="150"></a>
Expand Down

0 comments on commit 29c94a0

Please sign in to comment.