diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 1585ebd..c64620f 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -16,4 +16,4 @@ permissions: jobs: gitleaks: - uses: amcheste/gh-workflows/.github/workflows/reusable-gitleaks.yml@v1.0.0 + uses: amcheste/gh-workflows/.github/workflows/reusable-gitleaks.yml@v1.1.0 diff --git a/.github/workflows/monthly-dependency-release.yml b/.github/workflows/monthly-dependency-release.yml index 96d1ff1..00be20c 100644 --- a/.github/workflows/monthly-dependency-release.yml +++ b/.github/workflows/monthly-dependency-release.yml @@ -17,4 +17,4 @@ permissions: jobs: release: - uses: amcheste/gh-workflows/.github/workflows/reusable-monthly-dependency-release.yml@v1.0.0 + uses: amcheste/gh-workflows/.github/workflows/reusable-monthly-dependency-release.yml@v1.1.0 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index ea932b9..8d20c4e 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,5 +1,9 @@ name: Release Drafter +# Thin caller stub: logic lives in amcheste/gh-workflows. The category and +# label mapping stays in this repo's .github/release-drafter.yml. Dependabot +# bumps the pin as gh-workflows releases. + on: push: branches: [develop, main] @@ -10,10 +14,5 @@ permissions: pull-requests: write jobs: - update-release-draft: - name: Update Release Draft - runs-on: ubuntu-latest - steps: - - uses: release-drafter/release-drafter@4d75298e00d9e34c483e5ff8c68d0ea1c1940c1e # v7.5.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + draft: + uses: amcheste/gh-workflows/.github/workflows/reusable-release-drafter.yml@v1.1.0 diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 890eacc..9f600a8 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -1,5 +1,9 @@ name: SAST +# Thin caller stub: logic lives in amcheste/gh-workflows. Add language rule +# packs via the semgrep-config input (p/secrets is the universal floor). +# Dependabot bumps the pin as gh-workflows releases. + on: push: branches: [main, develop] @@ -13,23 +17,8 @@ permissions: jobs: semgrep: - name: Semgrep - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - - uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1 - with: - config: >- - p/bash - p/secrets - generateSarif: "1" - - - uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 - if: always() && github.ref == 'refs/heads/main' - continue-on-error: true - with: - sarif_file: semgrep.sarif + uses: amcheste/gh-workflows/.github/workflows/reusable-sast.yml@v1.1.0 + with: + semgrep-config: >- + p/secrets + p/bash diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f524b4f..c1e47eb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,5 +1,9 @@ name: OpenSSF Scorecard +# Thin caller stub: logic lives in amcheste/gh-workflows (includes the +# default-branch guard so pushes to non-default branches skip instead of +# failing). Dependabot bumps the pin as gh-workflows releases. + on: branch_protection_rule: schedule: @@ -11,35 +15,5 @@ on: permissions: read-all jobs: - analysis: - name: Scorecard Analysis - runs-on: ubuntu-latest - continue-on-error: true # Scorecard requires a public repo — fails silently on private repos - permissions: - security-events: write - id-token: write - contents: read - actions: read - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - # Publish to scorecard.dev only from the default branch. - publish_results: ${{ github.ref_name == github.event.repository.default_branch }} - - - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - - uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4 - if: github.ref_name == github.event.repository.default_branch - continue-on-error: true - with: - sarif_file: results.sarif + scorecard: + uses: amcheste/gh-workflows/.github/workflows/reusable-scorecard.yml@v1.1.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 135724f..5797e03 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,5 +1,8 @@ name: Stale +# Thin caller stub: logic lives in amcheste/gh-workflows. Dependabot bumps +# the pin as gh-workflows releases. + on: schedule: - cron: '0 9 * * *' @@ -7,22 +10,7 @@ on: permissions: contents: read - issues: write - pull-requests: write jobs: stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10 - with: - stale-issue-message: 'This issue has been inactive for 30 days and is marked stale. It will be closed in 7 days unless there is activity.' - stale-pr-message: 'This PR has been inactive for 30 days and is marked stale. It will be closed in 7 days unless there is activity.' - close-issue-message: 'Closed due to inactivity.' - close-pr-message: 'Closed due to inactivity.' - days-before-stale: 30 - days-before-close: 7 - stale-issue-label: stale - stale-pr-label: stale - exempt-issue-labels: 'pinned,security' - exempt-pr-labels: 'pinned' + uses: amcheste/gh-workflows/.github/workflows/reusable-stale.yml@v1.1.0