Skip to content

Add GHA for scorecard analysis (OpenSSF) #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gab-arrobo merged 1 commit into from
Nov 27, 2025
+150 −9
Merged

Add GHA for scorecard analysis (OpenSSF) #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

* @omec-project/5gc-maintainers
8 changes: 8 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,11 @@ updates:
day: "wednesday"
time: "21:00"
timezone: "America/Los_Angeles"

- package-ecosystem: github-actions
directory: /
schedule:
interval: "weekly"
day: "wednesday"
time: "21:00"
timezone: "America/Los_Angeles"
Comment on lines +23 to +29
Copy link
Contributor

@gab-arrobo gab-arrobo Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sureshmarikkannu,
I think this GHA is duplicated and needs to be removed. There is already this package ecosystem in line 7. Please open a PR fixing this issue

61 changes: 56 additions & 5 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,31 +11,82 @@ on:
branches:
- main

permissions:
contents: read

jobs:
doc8:
uses: omec-project/.github/.github/workflows/make-target-reuse.yml@main
permissions:
contents: read
actions: read
security-events: write
id-token: write
attestations: write
uses: omec-project/.github/.github/workflows/make-target-reuse.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
branch_name: ${{ github.ref }}
target: doc8

spell-check:
uses: omec-project/.github/.github/workflows/make-target-reuse.yml@main
permissions:
contents: read
checks: write
id-token: write
attestations: write
uses: omec-project/.github/.github/workflows/make-target-reuse.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
branch_name: ${{ github.ref }}
target: spelling

link-check:
uses: omec-project/.github/.github/workflows/make-target-reuse.yml@main
permissions:
contents: read
checks: write
id-token: write
attestations: write
uses: omec-project/.github/.github/workflows/make-target-reuse.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
branch_name: ${{ github.ref }}
target: linkcheck

license-check:
uses: omec-project/.github/.github/workflows/license-check.yml@main
permissions:
contents: read
id-token: write
attestations: write
uses: omec-project/.github/.github/workflows/license-check.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
branch_name: ${{ github.ref }}

fossa-scan:
uses: omec-project/.github/.github/workflows/fossa-scan.yml@main
permissions:
contents: read
security-events: write
id-token: write
attestations: write
uses: omec-project/.github/.github/workflows/fossa-scan.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
branch_name: ${{ github.ref }}

analysis:
if: github.repository_owner == 'omec-project'
permissions:
actions: read
artifact-metadata: read
attestations: read
checks: read
contents: read
deployments: read
discussions: read
id-token: write
issues: read
models: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: write
statuses: read
uses: omec-project/.github/.github/workflows/scorecard-analysis.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
branch_name: ${{ github.ref }}
28 changes: 24 additions & 4 deletions .github/workflows/push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,27 +9,47 @@ on:
- main
workflow_dispatch:

permissions:
contents: read

jobs:
validate:
uses: omec-project/.github/.github/workflows/validate.yml@main
permissions:
contents: write
actions: read
id-token: write
uses: omec-project/.github/.github/workflows/validate.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
branch_name: ${{ github.ref }}

tag-github:
uses: omec-project/.github/.github/workflows/tag-github.yml@main
permissions:
contents: write
actions: read
id-token: write
uses: omec-project/.github/.github/workflows/tag-github.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
secrets: inherit

update-version:
needs: tag-github
uses: omec-project/.github/.github/workflows/update-version.yml@main
permissions:
contents: write
pull-requests: write
actions: read
id-token: write
uses: omec-project/.github/.github/workflows/update-version.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
with:
changed: ${{ needs.tag-github.outputs.changed }}
version: ${{ needs.tag-github.outputs.version }}
secrets: inherit

publish:
if: github.repository_owner == 'omec-project'
uses: omec-project/.github/.github/workflows/publish-docs.yml@main
permissions:
contents: write
actions: read
id-token: write
uses: omec-project/.github/.github/workflows/publish-docs.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
secrets: inherit
with:
branch_name: ${{ github.ref }}
17 changes: 17 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.29.0
hooks:
- id: gitleaks
- repo: https://github.com/golangci/golangci-lint
rev: v2.6.1
hooks:
- id: golangci-lint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v6.0.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
41 changes: 41 additions & 0 deletions docs/SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<!--
SPDX-FileCopyrightText: 2025 Intel Corporation
SPDX-License-Identifier: Apache-2.0
-->
# Security Policy

## Supported Versions

We release patches for security vulnerabilities in the following versions:

| Version | Supported |
| ------- | ------------------ |
| 1.x.x | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability, please:

1. **DO NOT** create a public GitHub issue
2. Email us at: info@aetherproject.org
3. Include detailed information about the vulnerability
4. Allow us reasonable time to address the issue before public disclosure

### What to Include

- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any proof-of-concept code (if applicable)

## Security Best Practices

When using this project:
- Keep dependencies up to date
- Use the latest supported version
- Follow secure coding practices
- Regularly audit your implementation

## Contact

1. #sdcore-dev channel in [Aether Community Slack](https://aether5g-project.slack.com)
Loading