Skip to content

Commit 4d7e7a4

Browse files
committed
Fix all scorecard issue we see in Code Scanning
Signed-off-by: Erick Bourgeois <erick@jeb.ca>
1 parent 27c4df4 commit 4d7e7a4

4 files changed

Lines changed: 109 additions & 13 deletions

File tree

.github/actions/extract-version/action.yml

Lines changed: 18 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -50,20 +50,28 @@ runs:
5050
- name: Extract version information
5151
id: extract
5252
shell: bash
53+
env:
54+
GH_SHA: ${{ github.sha }}
55+
GH_RUN_NUMBER: ${{ github.run_number }}
56+
IN_REPOSITORY: ${{ inputs.repository }}
57+
IN_WORKFLOW_TYPE: ${{ inputs.workflow-type }}
58+
IN_PR_NUMBER: ${{ inputs.pr-number }}
59+
IN_RELEASE_TAG: ${{ inputs.release-tag }}
60+
IN_IMAGE_TAG_SUFFIX: ${{ inputs.image-tag-suffix }}
5361
run: |
5462
# Extract short SHA (first 7 characters)
55-
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
63+
SHORT_SHA="${GH_SHA:0:7}"
5664
echo "short-sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
5765
58-
IMAGE_REPOSITORY="${{ inputs.repository }}"
59-
IMAGE_TAG_SUFFIX="${{ inputs.image-tag-suffix }}"
66+
IMAGE_REPOSITORY="${IN_REPOSITORY}"
67+
IMAGE_TAG_SUFFIX="${IN_IMAGE_TAG_SUFFIX}"
6068
echo "image-repository=${IMAGE_REPOSITORY}" >> $GITHUB_OUTPUT
6169
62-
case "${{ inputs.workflow-type }}" in
70+
case "${IN_WORKFLOW_TYPE}" in
6371
release)
6472
# Release workflow: extract from release tag
6573
# Tag format: v0.2.0 (no date)
66-
TAG_NAME="${{ inputs.release-tag }}"
74+
TAG_NAME="${IN_RELEASE_TAG}"
6775
VERSION="${TAG_NAME#v}"
6876
IMAGE_TAG="${TAG_NAME}${IMAGE_TAG_SUFFIX}"
6977
echo "version=${VERSION}" >> $GITHUB_OUTPUT
@@ -75,9 +83,9 @@ runs:
7583
pr)
7684
# PR workflow: use pr-NUMBER format
7785
# Tag format: pr-42
78-
VERSION="pr-${{ inputs.pr-number }}"
79-
TAG_NAME="pr-${{ inputs.pr-number }}"
80-
IMAGE_TAG="pr-${{ inputs.pr-number }}${IMAGE_TAG_SUFFIX}"
86+
VERSION="pr-${IN_PR_NUMBER}"
87+
TAG_NAME="pr-${IN_PR_NUMBER}"
88+
IMAGE_TAG="pr-${IN_PR_NUMBER}${IMAGE_TAG_SUFFIX}"
8189
echo "version=${VERSION}" >> $GITHUB_OUTPUT
8290
echo "tag-name=${TAG_NAME}" >> $GITHUB_OUTPUT
8391
echo "image-tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
@@ -88,7 +96,7 @@ runs:
8896
# Main branch: use main-YYYY-MM-DD format
8997
# Tag format: main-2025-12-17
9098
DATE=$(date +%Y-%m-%d)
91-
VERSION="0.0.0-main.${DATE}.${{ github.run_number }}"
99+
VERSION="0.0.0-main.${DATE}.${GH_RUN_NUMBER}"
92100
TAG_NAME="main-${DATE}"
93101
IMAGE_TAG="main-${DATE}${IMAGE_TAG_SUFFIX}"
94102
echo "version=${VERSION}" >> $GITHUB_OUTPUT
@@ -98,7 +106,7 @@ runs:
98106
;;
99107
100108
*)
101-
echo "Error: Invalid workflow-type '${{ inputs.workflow-type }}'. Must be: main, pr, or release"
109+
echo "Error: Invalid workflow-type '${IN_WORKFLOW_TYPE}'. Must be: main, pr, or release"
102110
exit 1
103111
;;
104112
esac

.github/workflows/calm.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,9 @@ jobs:
182182
node-version: ${{ inputs.node-version }}
183183

184184
- name: Install @finos/calm-cli
185-
run: npm install -g "@finos/calm-cli@${{ inputs.cli-version }}"
185+
env:
186+
CLI_VERSION: ${{ inputs.cli-version }}
187+
run: npm install -g "@finos/calm-cli@${CLI_VERSION}"
186188

187189
- name: Show CLI version
188190
run: calm --version

.github/workflows/docs.yaml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -104,8 +104,11 @@ jobs:
104104
python-version: '3.11'
105105

106106
- name: Install Poetry
107+
env:
108+
# Pinned for reproducibility; bump alongside docs/pyproject.toml.
109+
POETRY_VERSION: "1.8.4"
107110
run: |
108-
curl -sSL https://install.python-poetry.org | python3 -
111+
curl -sSL https://install.python-poetry.org | python3 - --version "${POETRY_VERSION}"
109112
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
110113
111114
- name: Configure Poetry
@@ -147,8 +150,11 @@ jobs:
147150
- name: Check for broken links
148151
if: github.event_name == 'pull_request'
149152
continue-on-error: true
153+
env:
154+
# Pinned for reproducibility; bump periodically.
155+
LINKINATOR_VERSION: "6.1.2"
150156
run: |
151-
npm install -g linkinator
157+
npm install -g "linkinator@${LINKINATOR_VERSION}"
152158
linkinator docs/site/ --recurse --skip "rustdoc/.*" --verbosity error
153159
154160
- name: Setup Pages

SECURITY.md

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
<!--
2+
Copyright (c) 2025 Erick Bourgeois, firestoned
3+
SPDX-License-Identifier: Apache-2.0
4+
-->
5+
6+
# Security Policy
7+
8+
5-Spot is a FINOS-incubating project. Its security posture is described
9+
in detail under [`docs/src/security/`](./docs/src/security/); this
10+
document gives the short version: how to report a vulnerability and what
11+
to expect back.
12+
13+
## Reporting a vulnerability
14+
15+
**Do not open a public GitHub issue for security problems.** Please use
16+
one of the private channels below so we can triage and coordinate
17+
disclosure:
18+
19+
1. **GitHub private vulnerability report** (preferred):
20+
<https://github.com/finos/5-spot/security/advisories/new>
21+
2. **Email**: `security@finos.org` — for general FINOS-coordinated
22+
disclosure. Include `5-spot` in the subject line.
23+
3. **Direct maintainer**: `erick.bourgeois@gmail.com` — PGP-signed
24+
messages welcome.
25+
26+
Please include, where possible:
27+
28+
- A description of the vulnerability and its impact.
29+
- The version / commit SHA / container image digest you tested against.
30+
- Steps to reproduce or a minimal proof-of-concept.
31+
- Any suggested mitigation or patch.
32+
33+
## What to expect
34+
35+
| Phase | Target |
36+
| ---------------------- | ------------------------------------------------------------------- |
37+
| Acknowledgement | 3 business days |
38+
| Initial triage | 7 business days |
39+
| Fix / mitigation ETA | Shared after triage; depends on severity (CVSS) and blast radius |
40+
| Public disclosure | After a fix is released, coordinated with the reporter |
41+
42+
We follow standard coordinated-disclosure practice: the reporter is
43+
credited in the resulting advisory unless they prefer to remain
44+
anonymous.
45+
46+
## Supported versions
47+
48+
5-Spot follows a rolling-release model until `v1.0.0`. Only the latest
49+
release on `main` receives security fixes during the incubation phase.
50+
51+
## Scope
52+
53+
In scope:
54+
55+
- The 5-Spot controller binary and its container images
56+
(`ghcr.io/finos/5-spot`, `ghcr.io/finos/5-spot-distroless`).
57+
- The Custom Resource Definitions and admission policies shipped under
58+
[`deploy/`](./deploy).
59+
- The build and release pipeline
60+
([`.github/workflows/`](./.github/workflows)) insofar as a compromise
61+
would affect published artifacts.
62+
63+
Out of scope:
64+
65+
- Vulnerabilities in upstream dependencies that are already addressed
66+
in our [`.vex/`](./.vex) directory as `not_affected` — these have a
67+
documented, reviewed justification. If you disagree with one, please
68+
still report it so we can re-evaluate.
69+
- Findings that require the reporter to already have cluster-admin or
70+
equivalent privileges.
71+
- Denial-of-service against a single 5-Spot replica (the operator is
72+
designed to be run with leader election and horizontal replicas; see
73+
[`docs/src/operations/multi-instance.md`](./docs/src/operations/multi-instance.md)).
74+
75+
## Related documents
76+
77+
- [Threat model](./docs/src/security/threat-model.md)
78+
- [VEX publication process](./docs/src/security/vex.md)
79+
- [Admission policies & validation](./docs/src/security/admission-validation.md)
80+
- [FINOS security policy](https://www.finos.org/hubfs/finos/FINOS%20Vulnerability%20Disclosure%20Policy.pdf)

0 commit comments

Comments
 (0)