Skip to content

fix: add contents write permission to release job for asset uploads #129

fix: add contents write permission to release job for asset uploads

fix: add contents write permission to release job for asset uploads #129

Workflow file for this run

name: Security & Dependencies
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
# Run security scans weekly
- cron: '0 6 * * 1'
workflow_dispatch:
jobs:
# Security vulnerability scanning
security-scan:
name: Security Vulnerability Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version: '1.23'
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
toolchain: "1.82.0"
- name: Run Gosec Security Scanner (Go)
run: |
# Install gosec
go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest
# Run gosec security scan
cd tinygo && gosec -fmt sarif -out ../go-results.sarif ./... || true
cd ..
# Verify output was created
if [ -f go-results.sarif ]; then
echo "✅ Gosec scan completed successfully"
else
echo "⚠️ Gosec scan did not produce output, creating empty SARIF"
echo '{"version":"2.1.0","runs":[]}' > go-results.sarif
fi
continue-on-error: true
- name: Upload Gosec Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v3
if: always() && hashFiles('go-results.sarif') != ''
with:
sarif_file: go-results.sarif
category: go-security
- name: Run Cargo Audit (Rust)
run: |
if [ -d "rust" ] && [ -f "rust/Cargo.toml" ]; then
cargo install cargo-audit
cd rust && cargo audit --format json --output audit-results.json || true
else
echo "Rust directory not found - skipping Cargo audit"
fi
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
continue-on-error: true
- name: Upload Trivy Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v3
if: always() && hashFiles('trivy-results.sarif') != ''
with:
sarif_file: 'trivy-results.sarif'
category: trivy-security
- name: Run Semgrep Security Analysis
uses: returntocorp/semgrep-action@v1
with:
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
generateBaseline: ${{ github.event_name == 'workflow_dispatch' }}
continue-on-error: true
# Note: SEMGREP_APP_TOKEN secret needs to be configured in repository settings
# Dependency vulnerability and license scanning
dependency-check:
name: Dependency Security Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version: '1.23'
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
toolchain: "1.82.0"
- name: Go Dependency Check
run: |
# Install Nancy vulnerability scanner
go install github.com/sonatypecommunity/nancy@latest
# Check for known vulnerabilities in Go dependencies
cd tinygo
go list -json -m all | nancy sleuth
continue-on-error: true
- name: Rust Dependency Check
run: |
if [ -d "rust" ] && [ -f "rust/Cargo.toml" ]; then
cargo install cargo-audit cargo-deny
cd rust
# Check for vulnerabilities
cargo audit
# Check licenses and dependency policies
cargo deny check
else
echo "Rust directory not found - skipping Rust dependency checks"
fi
continue-on-error: true
- name: License Compliance Check
run: |
# Install license scanner
npm install -g license-checker
# Install and run go-licenses tool
echo "Installing go-licenses tool..."
go install github.com/google/go-licenses@latest
# Check for license compliance in dependencies
echo "Scanning Go module licenses..."
cd tinygo && go-licenses csv ./... > ../go-licenses.csv || echo "License scan completed with warnings"
echo "Dependency license scan completed"
# Automated dependency updates
dependency-update:
name: Automated Dependency Updates
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version: '1.23'
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
toolchain: "1.82.0"
- name: Update Go Dependencies
run: |
cd tinygo
# Update go.mod
go get -u ./...
go mod tidy
go mod verify
# Check if there are changes
if git diff --quiet go.mod go.sum; then
echo "No Go dependency updates available"
else
echo "GO_DEPS_UPDATED=true" >> $GITHUB_ENV
fi
- name: Update Rust Dependencies
run: |
if [ -d "rust" ] && [ -f "rust/Cargo.toml" ]; then
cd rust
# Update Cargo.toml with latest compatible versions
cargo update
# Check if there are changes
if git diff --quiet Cargo.lock; then
echo "No Rust dependency updates available"
else
echo "RUST_DEPS_UPDATED=true" >> $GITHUB_ENV
fi
else
echo "Rust directory not found - skipping Rust dependency updates"
fi
- name: Update Bazel Dependencies
run: |
# Check MODULE.bazel for updates (manual review needed)
echo "Bazel MODULE.bazel dependencies should be updated manually"
echo "Check for newer versions of:"
grep -E "bazel_dep|use_extension" MODULE.bazel || true
- name: Create Pull Request for Dependency Updates
if: env.GO_DEPS_UPDATED == 'true' || env.RUST_DEPS_UPDATED == 'true'
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: 'chore: update dependencies'
title: 'Automated Dependency Updates'
body: |
## 🤖 Automated Dependency Updates
This PR contains automated dependency updates:
${{ env.GO_DEPS_UPDATED == 'true' && '✅ Go dependencies updated' || '➖ No Go dependency updates' }}
${{ env.RUST_DEPS_UPDATED == 'true' && '✅ Rust dependencies updated' || '➖ No Rust dependency updates' }}
### Changes Made
- Updated go.mod and go.sum (if applicable)
- Updated Cargo.lock (if applicable)
- All updates use compatible version constraints
### Testing
- [ ] CI/CD pipeline passes
- [ ] Security scans pass
- [ ] No breaking changes introduced
### Manual Review Required
- Verify no breaking changes in updated dependencies
- Review any new security advisories
- Check for any required code changes
---
This PR was automatically created by the dependency update workflow.
branch: automated-dependency-updates
delete-branch: true
# Supply chain security
supply-chain-security:
name: Supply Chain Security
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version: '1.23'
- name: Generate SLSA Provenance for Go
run: |
echo "SLSA provenance generation requires separate workflow"
echo "Creating placeholder for future SLSA integration"
continue-on-error: true
- name: Run SBOM Generation
run: |
# Install SBOM tools - use fixed version for reliability
SYFT_VERSION="v1.18.1"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin ${SYFT_VERSION}
# Generate SBOM for the repository
syft . -o spdx-json=sbom.spdx.json -o cyclonedx-json=sbom.cyclonedx.json
echo "SBOM files generated:"
ls -la sbom.*
- name: Upload SBOM Artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-reports
path: |
sbom.spdx.json
sbom.cyclonedx.json
retention-days: 90
- name: Verify Signatures (if available)
run: |
# Install cosign for signature verification
curl -O -L https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
echo "Signature verification tools installed"
# Future: Add actual signature verification for dependencies
# Security policy and compliance
security-policy:
name: Security Policy Compliance
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Check Security Policy
run: |
# Verify SECURITY.md exists and is up to date
if [ -f "SECURITY.md" ]; then
echo "✅ Security policy exists"
else
echo "❌ Security policy missing"
echo "Creating basic security policy template..."
cat > SECURITY.md <<EOF
# Security Policy
## Supported Versions
We provide security updates for the following versions:
| Version | Supported |
| ------- | ------------------ |
| 1.x.x | :white_check_mark: |
| < 1.0 | :x: |
## Reporting a Vulnerability
Please report security vulnerabilities to [email protected]
We will acknowledge receipt within 48 hours and provide a detailed
response within 7 days indicating the next steps.
EOF
fi
- name: Security Configuration Check
run: |
echo "## 🔒 Security Configuration Status" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Check for security-related files
echo "### Security Files" >> $GITHUB_STEP_SUMMARY
echo "- Security Policy: $([ -f SECURITY.md ] && echo '✅' || echo '❌')" >> $GITHUB_STEP_SUMMARY
echo "- Code of Conduct: $([ -f CODE_OF_CONDUCT.md ] && echo '✅' || echo '❌')" >> $GITHUB_STEP_SUMMARY
echo "- License: $([ -f LICENSE ] && echo '✅' || echo '❌')" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Workflow Security" >> $GITHUB_STEP_SUMMARY
echo "- Dependabot: $([ -f .github/dependabot.yml ] && echo '✅' || echo '❌')" >> $GITHUB_STEP_SUMMARY
echo "- Security Scanning: ✅ Enabled" >> $GITHUB_STEP_SUMMARY
echo "- Dependency Updates: ✅ Automated" >> $GITHUB_STEP_SUMMARY