[CICD] Slamm Improvements to CI/CD

reactive-firewall · reactive-firewall · commit 3c3540bc06ae · 2025-07-24T20:04:00.000-07:00
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -0,0 +1,57 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Bandit is a security linter designed to find common security issues in Python code.
+# This action will run Bandit on your codebase.
+# The results of the scan will be found under the Security tab of your repository.
+
+# https://github.com/marketplace/actions/python-bandit-scan is ISC licensed
+# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
+---
+name: Bandit
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: ["main", "master", "stable"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main", "master", "stable", "feature-*", "patch-*", "HOTFIX-*"]
+
+permissions: {}
+
+jobs:
+  bandit:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      statuses: write
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Bandit Scan
+        uses: reactive-firewall/python-bandit-scan@c56ff8d84b6e111989d803bbd884a7969363332c # v2.3
+        with:  # optional arguments
+          # exit with 0, even with results found
+          exit_zero: true  # optional, default is DEFAULT
+          # Github token of the repository (automatically created by Github)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information.
+          # File or directory to run bandit on
+          path: "."  # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH.
+          #  Default is UNDEFINED (everything)
+          # level: MEDIUM  # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH.
+          #  Default is UNDEFINED (everything)
+          # confidence:  # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan
+          #  (note that these are in addition to the excluded paths provided in the config file)
+          #  (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          # excluded_paths:  # optional, default is DEFAULT
+          # comma-separated list of test IDs to skip
+          # skips:  # optional, default is DEFAULT
+          # path to a .bandit file that supplies command line arguments
+          # ini_path:  # optional, default is DEFAULT
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -1,21 +1,22 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
+# .github/workflows/scorecard.yml
+# Reference: https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml
+---
 name: Scorecard supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
+  # branch_protection_rule:
+  push:
+  # Only the default branch is supported.
+  branches: ["main", "master"]
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
+    # Weekly on Fridays.
     - cron: '18 9 * * 5'
-  push:
-    branches: [ master ]
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:
@@ -32,34 +33,30 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           submodules: true
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde  # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # Read-only PAT token. To create it,
+          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
           repo_token: ${{ secrets.SCORECARD_TOKEN }}
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
-          publish_results: false
+          # Publish the results to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # If you are installing the action on a private repo, set it to `publish_results: false`
+          # or comment out the following line.
+          publish_results: true
 
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +65,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e  # v3.29.3
         with:
           sarif_file: results.sarif
