Skip to content

feat: add github workflows#2

Merged
fmoessbauer merged 1 commit intomainfrom
feat/ci
Sep 5, 2025
Merged

feat: add github workflows#2
fmoessbauer merged 1 commit intomainfrom
feat/ci

Conversation

@Urist-McGit
Copy link
Collaborator

@Urist-McGit Urist-McGit commented Sep 5, 2025

Add workflows to lint, test and publish.

fmoessbauer
fmoessbauer reviewed Sep 5, 2025
View reviewed changes
@fmoessbauer
Copy link
Member

fmoessbauer commented Sep 5, 2025
edited
Loading

Hi, this already looks quite good. Please also scan this MR / branch with the https://github.com/boostsecurityio/poutine/ tool for obvious security issues / bad practices.

@Urist-McGit
Copy link
Collaborator Author

Urist-McGit commented Sep 5, 2025

Hi, this already looks quite good. Please also scan this MR / branch with the https://github.com/boostsecurityio/poutine/ tool for obvious security issues / bad practices.

It actually found something:

Rule: Build Component with a Known Vulnerability used
Severity: warning
Description: The workflow or action depends on a GitHub Action with known vulnerabilities.
Documentation: https://boostsecurityio.github.io/poutine/rules/known_vulnerability_in_build_component

+-----------------+--------------------------------+--------------------------------------------------------------------------------+
|   REPOSITORY    |            DETAILS             |                                      URL                                       |
+-----------------+--------------------------------+--------------------------------------------------------------------------------+
| siemens/debsbom | .github/workflows/publish.yml  | https://github.com/siemens/debsbom/tree/HEAD/.github/workflows/publish.yml#L45 |
|                 | Job: pypi-publish              |                                                                                |
|                 | Step: 0                        |                                                                                |
|                 | OSV ID: GHSA-cxww-7g56-2vh6    |                                                                                |
|                 | Package:                       |                                                                                |
|                 | actions/download-artifact      |                                                                                |
|                 |                                |                                                                                |
+-----------------+--------------------------------+--------------------------------------------------------------------------------+


Summary of findings:
+--------------------------------------------+--------------------------------------------------------+----------+--------+
|                  RULE ID                   |                       RULE NAME                        | FAILURES | STATUS |
+--------------------------------------------+--------------------------------------------------------+----------+--------+
| confused_deputy_auto_merge                 | Confused Deputy Auto-Merge                             |        0 | Passed |
| debug_enabled                              | CI Runner Debug Enabled                                |        0 | Passed |
| default_permissions_on_risky_events        | Default permissions used on risky events               |        0 | Passed |
| github_action_from_unverified_creator_used | Github Action from Unverified Creator used             |        0 | Passed |
| if_always_true                             | If condition always evaluates to true                  |        0 | Passed |
| injection                                  | Injection with Arbitrary External Contributor Input    |        0 | Passed |
| job_all_secrets                            | Workflow job exposes all secrets                       |        0 | Passed |
| known_vulnerability_in_build_component     | Build Component with a Known Vulnerability used        |        1 | Failed |
| known_vulnerability_in_build_platform      | Build Platform with a Known Vulnerability used         |        0 | Passed |
| pr_runs_on_self_hosted                     | Pull Request Runs on Self-Hosted GitHub Actions Runner |        0 | Passed |
| unpinnable_action                          | Unpinnable CI component used                           |        0 | Passed |
| untrusted_checkout_exec                    | Arbitrary Code Execution from Untrusted Code Changes   |        0 | Passed |
| unverified_script_exec                     | Unverified Script Execution                            |        0 | Passed |
+--------------------------------------------+--------------------------------------------------------+----------+--------+

I updated the download-artifact action and now there no more complaints

@fmoessbauer
Copy link
Member

fmoessbauer commented Sep 5, 2025

I'm glad to see that the tool helped. OT: I met the people behind it at EOSS24 in Seattle.

@Urist-McGit
feat: add github workflows
5297049 
Add workflows to lint, test and publish.

Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
@fmoessbauer fmoessbauer merged commit 29a3057 into main Sep 5, 2025
3 checks passed
@fmoessbauer fmoessbauer deleted the feat/ci branch September 5, 2025 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fmoessbauer fmoessbauer fmoessbauer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Urist-McGit @fmoessbauer