diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index f2c8326..8bf3cef 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -1,12 +1,12 @@ name: Asp.Versioning Ext. CI/CD Pipeline on: pull_request: + branches: [main] paths-ignore: - - .codecov - - .docfx - - .github - - .nuget - - '**.md' + - .codecov/** + - .docfx/** + - .nuget/** + - '**/*.md' workflow_dispatch: inputs: configuration: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..aabea97 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,42 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '45 17 * * 2' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 3ba4eca..aa569df 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Extensions for Asp.Versioning API by Codebelt -[![Asp.Versioning Ext. CI/CD Pipeline](https://github.com/codebeltnet/asp-versioning/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/asp-versioning/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/asp-versioning/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/asp-versioning) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=alert_status)](https://sonarcloud.io/dashboard?id=asp-versioning) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=asp-versioning) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=asp-versioning) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=security_rating)](https://sonarcloud.io/dashboard?id=asp-versioning) +[![Asp.Versioning Ext. CI/CD Pipeline](https://github.com/codebeltnet/asp-versioning/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/asp-versioning/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/asp-versioning/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/asp-versioning) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=alert_status)](https://sonarcloud.io/dashboard?id=asp-versioning) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=asp-versioning) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=asp-versioning) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=asp-versioning&metric=security_rating)](https://sonarcloud.io/dashboard?id=asp-versioning) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/codebeltnet/asp-versioning/badge)](https://scorecard.dev/viewer/?uri=github.com/codebeltnet/asp-versioning) An open-source project (MIT license) that targets and complements the [Asp.Versioning](https://github.com/dotnet/aspnet-api-versioning) versioning engine. It aims to provide a uniform and convenient developer experience when working with RESTful API versioning.