Orange-OpenSource
diff --git a/‎.github/DEVELOP.md‎
Lines changed: 49 additions & 7 deletions b/‎.github/DEVELOP.md‎
Lines changed: 49 additions & 7 deletions
diff --git a/‎.github/workflows/build-and-test.yml‎
Lines changed: 7 additions & 4 deletions b/‎.github/workflows/build-and-test.yml‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎.github/workflows/build-documentation.yml‎
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/build-documentation.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 88 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 38 additions & 0 deletions b/‎.github/workflows/dependency-review.yml‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎.github/workflows/gitleaks.yml‎
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/gitleaks.yml‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎.github/workflows/periphery.yml‎
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/periphery.yml‎
Lines changed: 5 additions & 2 deletions
@@ -11,6 +11,8 @@
 - [Commits, changelog, release note, versioning](#commits-changelog-release-note-versioning)
   * [About commits](#about-commits)
   * [About release note and changelog](#about-release-note-and-changelog)
+  * [Integration of tokenator updates](#integration-of-tokenator-updates)
+  * [Verifying commits cryptographic signatures](#verifying-commits-cryptographic-signatures)
 - [Use of Gitleaks](#use-of-gitleaks)
 - [Linter](#linter)
 - [Formater](#formater)
@@ -272,6 +274,41 @@ chore(🤖): update `OpacityRawTokens` (tokenator generation 20241021134644) (#2
 Tokens library v0.4.1
 ``` 
 
+#### Verifying commits cryptographic signatures
+
+Some core maintainers in the project use GPG so cryptographically sign their commits.
+You can check the commits status with the commands below:
+```shell
+# Of course we suppose you are a bit used to GPG and have it installed
+# Update your keychain of GPG keys and getthe online the ones for the maintainers
+# For example GPG key identifier of @pylapp is "8030BBE06B4F48F95BD082DA7D5AE4DCFF3A3435"
+
+# This command can take a lot of time, maybe try the next one
+gpg --refresh-keys
+gpg --keyserver https://key.openpgp.org --recv-keys 8030BBE06B4F48F95BD082DA7D5AE4DCFF3A3435
+
+# If none of this command works, contact the maintainers to get their public key to add in your keychain and run
+gpg --import path/to/asc/key/file
+
+# Then check if the key is in your keychain
+gpg --list-keys --keyid-format=short
+
+# If you run "gpg --check-sigs" you may notice they keys are not signed (unknown trust), that's not unexpected
+
+# Then run the command to verify the commit status using for example its hash
+git verify-commit the-commit-hash
+# Or get more logs
+git log --show-signature
+```
+
+In addition, GitHub also provides a feature of commits veritification named [Vigilant mode](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits).
+In few words, if the commit was signed with the committer's verified signature, the commit is *verified*.
+
+> [!CAUTION]
+> Some maintainers do not use GPG or SSH signing for commits, so the documentation commits can be seen as "unverified"
+> and some commits can have empty status because GitHub Vigilant Mode is not enabled for everyone
+> and some commits can be unsigned.
+
 ### About release note and changelog
 
 We try also to apply [keep a changelog](https://keepachangelog.com/en/1.0.0/), and [semantic versioning](https://semver.org/spec/v2.0.0.html) both with [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/).
@@ -425,15 +462,20 @@ To update dependencies of the project, supossing *Renovate* for example provides
 
 ### GitHub Action
 
-We use *GitHub Actions* so as to define a workflow with some actions to build and test the library.
+We use *GitHub Actions* so as to define several workflows with some actions to build, test, check, documentation and audit the library.
+
 It will help us to ensure code on pull requests or being merged compiles and has all tests green.
+
 Workflows are the following:
-- [build and run unit tests](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/build-and-test.yml)
-- [check if there are secrets leaks](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/gitleaks.yml).
-- [check if there are localizations troubles](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/swiftpolyglot.yml)
-- [check if there is dead code](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/periphery.yml)
-- [run linter](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/swiftlint.yml)
-- [generate documentation](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/build-documentation.yml)
+- [build-and-test](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/build-and-test.yml) to build and run unit tests
+- [build-documentation](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/build-documentation.yml) to ensure documentation can be built from sources without warnings
+- [codeql](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/codeql.yml) to automated security checks
+- [dependency-review](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/codeql.yml) to scan dependency manifest files surfacing known-vulnerable versions of the packages declared or updated in pull requests
+- [gitleaks](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/gitleaks.yml) to check if there are secrets leaks
+- [periphery](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/periphery.yml) to check if there is dead code
+- [scorecard](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/scorecard.yml) to buold the OpenSSF score card on README
+- [swiftlint](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/swiftlint.yml) to check if there is no linter warnings
+- [swiftpolyglot](https://github.com/Orange-OpenSource/ouds-ios/blob/develop/.github/workflows/swiftpolyglot.yml) to check if there are localizations troubles
 
 We use also two GitHub apps making controls on pull requests and defining wether or not prerequisites are filled or not.
 There is one control to check if [PR template are all defined ](https://github.com/stilliard/github-task-list-completed), and one if [DCO is applied](https://probot.github.io/apps/dco/).
 
@@ -39,20 +39,23 @@ on:
       - develop
       - '*'        
 
+permissions:
+  contents: read
+
 jobs:
   # Build the library
   build:
     runs-on: macos-15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Xcode 16.4.0
         run: |
           sudo xcode-select -s /Applications/Xcode_16.4.0.app/Contents/Developer
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0, https://github.com/ruby/setup-ruby
         with:
           ruby-version: '3.3'
 
@@ -69,14 +72,14 @@ jobs:
     runs-on: macos-15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Xcode 16.4.0
         run: |
           sudo xcode-select -s /Applications/Xcode_16.4.0.app/Contents/Developer
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0, https://github.com/ruby/setup-ruby
         with:
           ruby-version: '3.3'
 
 
@@ -38,13 +38,16 @@ on:
       - develop
       - '*'        
 
+permissions:
+  contents: read
+
 jobs:
   # Build the documentation to check if everything works well
   build-documentation:
     runs-on: macos-15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Xcode 16.4.0
         run: |
 
@@ -0,0 +1,88 @@
+#
+# Software Name: Orange Unified Design System
+# SPDX-FileCopyrightText: Copyright (c) Orange SA
+# SPDX-License-Identifier: MIT
+#
+# This software is distributed under the MIT license,
+# the text of which is available at https://opensource.org/license/MIT/
+# or see the "LICENSE" file for more details.
+#
+# Authors: See CONTRIBUTORS.txt
+# Software description: A SwiftUI components library with code examples for Orange Unified Design System
+#
+
+# Generated thanks to https://app.stepsecurity.io/securerepo
+
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["develop"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["develop"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: macos-15
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["ruby", "swift"]
+        # CodeQL supports [ $supported-codeql-languages ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        with:
+          category: "/language:${{matrix.language}}"
@@ -0,0 +1,38 @@
+#
+# Software Name: Orange Unified Design System
+# SPDX-FileCopyrightText: Copyright (c) Orange SA
+# SPDX-License-Identifier: MIT
+#
+# This software is distributed under the MIT license,
+# the text of which is available at https://opensource.org/license/MIT/
+# or see the "LICENSE" file for more details.
+#
+# Authors: See CONTRIBUTORS.txt
+# Software description: A SwiftUI components library with code examples for Orange Unified Design System
+#
+
+# Generated thanks to https://app.stepsecurity.io/securerepo
+
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
@@ -36,15 +36,18 @@ on:
     branches-ignore:
       - main      
 
+permissions:
+  contents: read
+
 jobs:
   scan:
     name: gitleaks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9, https://github.com/gitleaks/gitleaks-action
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -37,15 +37,18 @@ on:
     branches-ignore:
       - main       
 
+permissions:
+  contents: read
+
 jobs:
   deadcode:
     runs-on: macos-15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0, https://github.com/ruby/setup-ruby
         with:
           ruby-version: '3.3'