ci: bump dtolnay/rust-toolchain from b3b07ba8b418998c39fb20f53e8b695cdcc8de1b to 3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 #425
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Supply Chain Security | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: "30 3 * * 1" # Weekly Monday 03:30 UTC | |
| permissions: {} | |
| jobs: | |
| # Block PRs that introduce known-vulnerable or malicious dependencies | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Dependency review | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 | |
| with: | |
| fail-on-severity: high | |
| comment-summary-in-pr: always | |
| # Verify deno.lock has not been tampered with | |
| lockfile-integrity: | |
| name: Lockfile Integrity | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Deno | |
| uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4 | |
| with: | |
| deno-version: v2.x | |
| - name: Verify lockfile is committed | |
| run: | | |
| if [ ! -f deno.lock ]; then | |
| echo "::error::deno.lock is missing — commit it to enforce dependency integrity" | |
| exit 1 | |
| fi | |
| - name: Verify lockfile is up-to-date (frozen install) | |
| run: deno install --frozen | |
| # OpenSSF Scorecard — measures repo security posture | |
| scorecard: | |
| name: OpenSSF Scorecard | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request' && !github.event.repository.private | |
| permissions: | |
| contents: read | |
| security-events: write # Upload SARIF | |
| id-token: write # Sigstore signing for publish_results | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run Scorecard | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 | |
| with: | |
| sarif_file: results.sarif |