Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/gitleaks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ permissions:

jobs:
gitleaks:
uses: amcheste/gh-workflows/.github/workflows/reusable-gitleaks.yml@v1.0.0
uses: amcheste/gh-workflows/.github/workflows/reusable-gitleaks.yml@v1.1.0
2 changes: 1 addition & 1 deletion .github/workflows/monthly-dependency-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ permissions:

jobs:
release:
uses: amcheste/gh-workflows/.github/workflows/reusable-monthly-dependency-release.yml@v1.0.0
uses: amcheste/gh-workflows/.github/workflows/reusable-monthly-dependency-release.yml@v1.1.0
13 changes: 6 additions & 7 deletions .github/workflows/release-drafter.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
name: Release Drafter

# Thin caller stub: logic lives in amcheste/gh-workflows. The category and
# label mapping stays in this repo's .github/release-drafter.yml. Dependabot
# bumps the pin as gh-workflows releases.

on:
push:
branches: [develop, main]
Expand All @@ -10,10 +14,5 @@ permissions:
pull-requests: write

jobs:
update-release-draft:
name: Update Release Draft
runs-on: ubuntu-latest
steps:
- uses: release-drafter/release-drafter@4d75298e00d9e34c483e5ff8c68d0ea1c1940c1e # v7.5.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
draft:
uses: amcheste/gh-workflows/.github/workflows/reusable-release-drafter.yml@v1.1.0
29 changes: 9 additions & 20 deletions .github/workflows/sast.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
name: SAST

# Thin caller stub: logic lives in amcheste/gh-workflows. Add language rule
# packs via the semgrep-config input (p/secrets is the universal floor).
# Dependabot bumps the pin as gh-workflows releases.

on:
push:
branches: [main, develop]
Expand All @@ -13,23 +17,8 @@ permissions:

jobs:
semgrep:
name: Semgrep
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1
with:
config: >-
p/bash
p/secrets
generateSarif: "1"

- uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
if: always() && github.ref == 'refs/heads/main'
continue-on-error: true
with:
sarif_file: semgrep.sarif
uses: amcheste/gh-workflows/.github/workflows/reusable-sast.yml@v1.1.0
with:
semgrep-config: >-
p/secrets
p/bash
38 changes: 6 additions & 32 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
name: OpenSSF Scorecard

# Thin caller stub: logic lives in amcheste/gh-workflows (includes the
# default-branch guard so pushes to non-default branches skip instead of
# failing). Dependabot bumps the pin as gh-workflows releases.

on:
branch_protection_rule:
schedule:
Expand All @@ -11,35 +15,5 @@ on:
permissions: read-all

jobs:
analysis:
name: Scorecard Analysis
runs-on: ubuntu-latest
continue-on-error: true # Scorecard requires a public repo — fails silently on private repos
permissions:
security-events: write
id-token: write
contents: read
actions: read
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# Publish to scorecard.dev only from the default branch.
publish_results: ${{ github.ref_name == github.event.repository.default_branch }}

- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: SARIF file
path: results.sarif
retention-days: 5

- uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
if: github.ref_name == github.event.repository.default_branch
continue-on-error: true
with:
sarif_file: results.sarif
scorecard:
uses: amcheste/gh-workflows/.github/workflows/reusable-scorecard.yml@v1.1.0
20 changes: 4 additions & 16 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -1,28 +1,16 @@
name: Stale

# Thin caller stub: logic lives in amcheste/gh-workflows. Dependabot bumps
# the pin as gh-workflows releases.

on:
schedule:
- cron: '0 9 * * *'
workflow_dispatch:

permissions:
contents: read
issues: write
pull-requests: write

jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10
with:
stale-issue-message: 'This issue has been inactive for 30 days and is marked stale. It will be closed in 7 days unless there is activity.'
stale-pr-message: 'This PR has been inactive for 30 days and is marked stale. It will be closed in 7 days unless there is activity.'
close-issue-message: 'Closed due to inactivity.'
close-pr-message: 'Closed due to inactivity.'
days-before-stale: 30
days-before-close: 7
stale-issue-label: stale
stale-pr-label: stale
exempt-issue-labels: 'pinned,security'
exempt-pr-labels: 'pinned'
uses: amcheste/gh-workflows/.github/workflows/reusable-stale.yml@v1.1.0
Loading