ci(deps): bump @cyclonedx/cdxgen from 12.5.1 to 12.7.0 in /tools/github-workflow-tools in the node-workflow-tools group #274
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI Guardrails | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| pull_request: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| zizmor: | |
| name: Analyze (Zizmor) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # Required to create code scanning alerts | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| disable-sudo-and-containers: false # needed for Zizmor's use of Docker | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 | |
| poutine: | |
| name: Analyze (Poutine) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # Required to create code scanning alerts | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Load pinned tool versions | |
| id: versions | |
| run: | | |
| poutine="$(jq -r '.poutine' tools/github-workflow-tools/versions.json)" | |
| echo "poutine=${poutine}" >> "$GITHUB_OUTPUT" | |
| - name: Install poutine | |
| env: | |
| VERSION: ${{ steps.versions.outputs.poutine }} | |
| run: | | |
| curl -sSfL "https://github.com/boostsecurityio/poutine/releases/download/v${VERSION}/poutine_Linux_x86_64.tar.gz" \ | |
| | tar -xzf - -C /usr/local/bin poutine | |
| - name: Generate poutine SARIF | |
| run: | | |
| # poutine emits an all-zero GUID that fails GitHub's UUID validation; | |
| # replace it with a valid RFC-4122 nil-equivalent. | |
| poutine analyze_local "${GITHUB_WORKSPACE}" -f sarif \ | |
| | jq '(.runs[].tool.driver.supportedTaxonomies[] | select(.guid == "00000000-0000-0000-0000-000000000000")).guid = "00000000-0000-1000-8000-000000000000"' \ | |
| > poutine_results.sarif | |
| - name: Upload poutine SARIF file | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| sarif_file: poutine_results.sarif | |
| trufflehog: | |
| name: Analyze (TruffleHog) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| disable-sudo-and-containers: false # needed for TruffleHog's use of Docker | |
| egress-policy: block | |
| allowed-endpoints: > | |
| ghcr.io:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Load pinned tool versions | |
| id: versions | |
| run: | | |
| trufflehog="$(jq -r '.trufflehog' tools/github-workflow-tools/versions.json)" | |
| echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT" | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@f446421baf832d6356c42c1743d99abff52ff334 # v3.95.7 | |
| with: | |
| extra_args: --results=verified,unknown | |
| version: ${{ steps.versions.outputs.trufflehog }} | |
| pom-consistency: | |
| name: Analyze (POM Consistency) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| raw.githubusercontent.com:443 | |
| api.github.com:443 | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| pypi.org:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| - name: Check plugin version consistency | |
| run: uv run --project tools/github-workflow-tools --group python-common python3 .github/scripts/check-pom-consistency.py | |
| hook-coverage: | |
| name: Validate Hook Coverage Mapping | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Validate hook coverage mapping | |
| run: python3 .github/scripts/check-hook-coverage.py | |
| hook-revisions-frozen: | |
| name: Validate Hook Revisions Are Frozen | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Validate hook revisions are frozen | |
| run: python3 .github/scripts/check-hook-revisions-frozen.py |