Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

setup OSSF Scorecard workflow #1432

Merged
merged 1 commit into from
Nov 25, 2024
Merged

setup OSSF Scorecard workflow #1432

merged 1 commit into from
Nov 25, 2024

Conversation

mmorel-35
Copy link
Contributor

@mmorel-35 mmorel-35 commented Jan 12, 2024

Also pin github-actions versions

OpenSSF Scorecard

Signed-off-by: Matthieu MOREL [email protected]

@ArthurSens
Copy link
Member

Hey 👋 -- thanks for the contribution.

Could you provide details about the OSSF scorecard and why we want to maintain it? Please assume I have no knowledge about what it is 😬

@mmorel-35
Copy link
Contributor Author

Ossf is open source security foundation. The workflow is here to create a report that will help maintainers reduce security risk on their project with advices. See the badge I added in the description.

@ArthurSens
Copy link
Member

I was taking a look at the report provided by the badge, I'm not sure I understood why we got 0 with Token-Permissions.

I don't guarantee that all permissions were configured following the least-privilege principle, but I'm pretty sure most of them are needed. Do we need to configure exceptions somewhere?

@ArthurSens
Copy link
Member

This PR is also making changes to Dockerfile, which doesn't seem related to the OSSF scorecard, could we split it into a separate PR? It could make the merge process faster, at least for the Dockerfile changes

@mmorel-35
Copy link
Contributor Author

mmorel-35 commented Jan 24, 2024

It is related as ossf ask for dependencies to use pinned version for docker as for github-actions.
Please have a look here https://securityscorecards.dev/viewer/?uri=github.com/prometheus/client_golang

I’m fine seing this in a following pr

@ArthurSens
Copy link
Member

ArthurSens commented Jan 25, 2024

It is related as ossf ask for dependencies to use pinned version for docker as for github-actions. Please have a look here https://securityscorecards.dev/viewer/?uri=github.com/prometheus/client_golang

I’m fine seing this in a following pr

Yeah, I imagine that would be the reason :P I just meant that the changes for the Dockerfile we could merge without problems already, so opening a separate PR would unblock this

For the OSSF scorecard, I'm still struggling to understand why we got a 0 score for github actions that need those permissions to run. I couldn't find ways to add exceptions for those checks 🤔

@kakkoyun
Copy link
Member

For the OSSF scorecard, I'm still struggling to understand why we got a 0 score for github actions that need those permissions to run. I couldn't find ways to add exceptions for those checks 🤔

@mmorel-35 Are there any quick wins that we could fix before putting this to the README?

@mmorel-35
Copy link
Contributor Author

Maybe change permissions on the workflows?

Signed-off-by: Matthieu MOREL <[email protected]>
@kakkoyun kakkoyun merged commit f53c5ca into prometheus:main Nov 25, 2024
10 checks passed
@mmorel-35 mmorel-35 deleted the ossf branch November 25, 2024 12:03
@mmorel-35
Copy link
Contributor Author

mmorel-35 commented Nov 25, 2024

@kakkoyun ,
can you trigger an update on github actions dependencies (https://github.com/prometheus/client_golang/network/updates) ?

When I updated them on my fork things got better : mmorel-35#58

amberpixels pushed a commit to amberpixels/prometheus_client_golang that referenced this pull request Nov 29, 2024
Signed-off-by: Matthieu MOREL <[email protected]>
Signed-off-by: Eugene <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants