relprep: Preparing the v2.2.0 release. #1274
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # This workflow uses actions that are not certified by GitHub. They are provided | |
| # by a third-party and are governed by separate terms of service, privacy | |
| # policy, and support documentation. | |
| name: OSV Scanner | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117 | |
| actions: read | |
| # Require writing security events to upload SARIF file to security tab | |
| security-events: write | |
| # Only need to read contents | |
| contents: read | |
| jobs: | |
| osv_scanner_job: | |
| runs-on: ubuntu-latest | |
| name: Scan for vulns | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 | |
| with: | |
| disable-sudo: false | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.cloudflare.com:443 | |
| api.deps.dev:443 | |
| api.github.com:443 | |
| api.gumroad.com:443 | |
| api.osv.dev:443 | |
| api.scorecard.dev:443 | |
| api.securityscorecards.dev:443 | |
| checkpoint-api.hashicorp.com:443 | |
| fulcio.sigstore.dev:443 | |
| get.opentofu.org:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| gitlab.com:443 | |
| golang.org:443 | |
| goreleaser.com:443 | |
| objects.githubusercontent.com:443 | |
| oss-fuzz-build-logs.storage.googleapis.com:443 | |
| osv-vulnerabilities.storage.googleapis.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| proxy.golang.org:443 | |
| registry.npmjs.org:443 | |
| rekor.sigstore.dev:443 | |
| releases.hashicorp.com:443 | |
| release-assets.githubusercontent.com:443 | |
| storage.googleapis.com:443 | |
| sum.golang.org:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| uploads.github.com:443 | |
| vuln.go.dev:443 | |
| www.bestpractices.dev:443 | |
| - name: Checkout Source | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: "Run scanner on existing code" | |
| uses: google/osv-scanner-action/osv-scanner-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.2.1 | |
| continue-on-error: true | |
| with: | |
| scan-args: |- | |
| --format=json | |
| --output=results.json | |
| --recursive . |