diff --git a/.ci/Dockerfile b/.ci/Dockerfile index 6e0a0d788d..2aa2dd93d2 100644 --- a/.ci/Dockerfile +++ b/.ci/Dockerfile @@ -1,5 +1,5 @@ #syntax=docker/dockerfile:1.2 -FROM node:20 as build +FROM node@sha256:0c0734eb7051babbb3e95cd74e684f940552b31472152edf0bb23e54ab44a0d7 as build WORKDIR /lambdas RUN apt-get update \ && apt-get install -y zip \ diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 7fb3b4efc1..2e7b5badb0 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,2 +1 @@ -ARG VARIANT="20-bullseye" -FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:0-${VARIANT} +FROM mcr.microsoft.com/vscode/devcontainers/typescript-node@sha256:acdce1045a2ddce4c66846d5cd09adf746d157fce9233124e4925b647f192b2e diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 35d386142a..face548144 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -51,3 +51,23 @@ updates: commit-message: prefix: "fix(lambda)" prefix-development: "chore(lambda)" + + - package-ecosystem: "docker" + directory: "/.ci/Dockerfile" + schedule: + interval: "weekly" + labels: + - "dependencies" + - "docker" + commit-message: + prefix: "chore(docker)" + + - package-ecosystem: "docker" + directory: "/.devcontainer/Dockerfile" + schedule: + interval: "weekly" + labels: + - "dependencies" + - "docker" + commit-message: + prefix: "chore(devcontainer)" diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml new file mode 100644 index 0000000000..f17530ef40 --- /dev/null +++ b/.github/workflows/ossf-scorecard.yml @@ -0,0 +1,48 @@ +name: OSSF Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '44 19 * * 2' + workflow_dispatch: + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index e264bdc3d5..b0236fc2b5 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Terraform module Self-Hosted Scalable GitHub Actions runners on AWS. -[![docs](https://img.shields.io/badge/docs-runners-blue.svg)](https://github-aws-runners.github.io/terraform-aws-github-runner) [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners) [![Terraform registry](https://img.shields.io/github/v/release/github-aws-runners/terraform-aws-github-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/github-aws-runners/github-runner/aws/) [![Terraform checks](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml) [![Lambdas](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml) +[![docs](https://img.shields.io/badge/docs-runners-blue.svg)](https://github-aws-runners.github.io/terraform-aws-github-runner) [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners) [![Terraform registry](https://img.shields.io/github/v/release/github-aws-runners/terraform-aws-github-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/github-aws-runners/github-runner/aws/) [![Terraform checks](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml) [![Lambdas](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/github-aws-runners/terraform-aws-github-runner/badge)](https://scorecard.dev/viewer/?uri=github.com/github-aws-runners/terraform-aws-github-runner) > 📢 We're moving `terraform-aws-github-runner` to a new organization https://github.com/github-aws-runners in January to foster growth and community ownership! 🎉 Join us on our new [Discord server](https://discord.gg/bxgXW8jJGh) for discussions and updates. Please see #4298 for more details. diff --git a/lambdas/.nvmrc b/lambdas/.nvmrc index 9a2a0e219c..53d1c14db3 100644 --- a/lambdas/.nvmrc +++ b/lambdas/.nvmrc @@ -1 +1 @@ -v20 +v22