diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..faeeeb0 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,42 @@ +--- +name: CodeQL + +on: + push: + branches: + - main + pull_request: + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + runs-on: ubuntu-latest + name: Analyze + permissions: + actions: read + contents: read + security-events: write + strategy: + fail-fast: false + matrix: + language: ["python"] + + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + languages: ${{ matrix.language }} + - uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + + - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml new file mode 100644 index 0000000..8d7f65a --- /dev/null +++ b/.github/workflows/dependency_review.yml @@ -0,0 +1,22 @@ +--- +name: Dependency Review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + name: Dependency Review + + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a2a713..0f09265 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,5 +22,9 @@ jobs: pull-requests: write steps: - - uses: google-github-actions/release-please-action@v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 id: release diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..a322859 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,59 @@ +--- +name: Scorecard Security + +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: + - main + workflow_dispatch: + +permissions: read-all + +jobs: + analysis: + runs-on: ubuntu-latest + name: Scorecard Analysis + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + # To allow GraphQL ListCommits to work + issues: read + pull-requests: read + # To detect SAST tools + checks: read + + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: Scorecard Analysis + path: results.sarif + retention-days: 5 + + - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + sarif_file: results.sarif diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index a5f1b7a..fdc9f3f 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -18,37 +18,35 @@ jobs: poetry-version: [1.7.1] steps: - - name: Checkout repository - uses: actions/checkout@v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.python-version }} - name: Set up Poetry ${{ matrix.poetry-version }} - uses: abatilo/actions-poetry@v3 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0 with: poetry-version: ${{ matrix.poetry-version }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip + - run: | poetry install - - name: Lint files - run: | + - run: | poetry check poetry run ruff check . - - name: Run tests - run: | + - run: | poetry run pytest poetry run coverage xml - - name: Coveralls - uses: coverallsapp/github-action@v2 + - uses: coverallsapp/github-action@4cdef0b2dbe0c9aa26bed48edb868db738625e79 # v2.3.3 with: file: coverage.xml @@ -57,12 +55,15 @@ jobs: name: Validate HACS steps: - - name: Checkout repository - uses: actions/checkout@v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: HACS Validation - uses: hacs/action@main + uses: hacs/action@70694a570839431b5c69ff0eba599a213dc7a43b # main with: category: integration diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d0c748c..4158fe6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,7 @@ repos: rev: v0.1.6 hooks: - id: ruff - args: [ --fix ] + args: [--fix] - id: ruff-format - repo: https://github.com/talos-systems/conform rev: v0.1.0-alpha.27 @@ -15,6 +15,8 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: + - id: end-of-file-fixer + - id: trailing-whitespace - id: check-json - id: check-merge-conflict - id: check-symlinks @@ -22,8 +24,9 @@ repos: - id: check-xml - id: check-yaml - id: detect-aws-credentials - args: [ - "--allow-missing-credentials" - ] + args: ["--allow-missing-credentials"] - id: detect-private-key - + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks diff --git a/README.md b/README.md index 75f240b..db5efc7 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![](https://img.shields.io/github/license/muhlba91/onyx-homeassistant-integration?style=for-the-badge)](LICENSE) [![](https://img.shields.io/github/actions/workflow/status/muhlba91/onyx-homeassistant-integration/release.yml?style=for-the-badge)](https://github.com/muhlba91/onyx-homeassistant-integration/actions/workflows/release.yml) [![](https://img.shields.io/coveralls/github/muhlba91/onyx-homeassistant-integration?style=for-the-badge)](https://github.com/muhlba91/onyx-homeassistant-integration/) +[![](https://api.scorecard.dev/projects/github.com/muhlba91/onyx-homeassistant-integration/badge?style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/muhlba91/onyx-homeassistant-integration) [![hacs_badge](https://img.shields.io/badge/HACS-Default-orange.svg?style=for-the-badge)](https://github.com/custom-components/hacs) [![](https://img.shields.io/github/all-contributors/muhlba91/onyx-homeassistant-integration?color=ee8449&style=for-the-badge)](#contributors) Buy Me A Coffee