diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..7fe3850 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + - package-ecosystem: "nuget" + directory: "/src" + schedule: + interval: "weekly" + open-pull-requests-limit: 0 + - package-ecosystem: "nuget" + directory: "/test" + schedule: + interval: "weekly" + open-pull-requests-limit: 0 + - package-ecosystem: "github-actions" + directory: "/.github/workflows" + schedule: + interval: "weekly" + open-pull-requests-limit: 0 diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index e4cc1ae..2f4dfa2 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -1,10 +1,12 @@ name: Bootstrapper Pipeline on: pull_request: + branches: [main] paths-ignore: - - .github/** + - .codecov/** + - .docfx/** - .nuget/** - - '**.md' + - '**/*.md' workflow_dispatch: inputs: configuration: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..aabea97 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,42 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '45 17 * * 2' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 1ea9149..74a4366 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,10 @@ ![Bootstrapper API by Codebelt](.nuget/Codebelt.Bootstrapper/icon.png) # Bootstrapper API by Codebelt +[![bootstrapper CI/CD Pipeline](https://github.com/codebeltnet/bootstrapper/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/bootstrapper/actions/workflows/pipelines.yml) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=bootstrapper&metric=alert_status)](https://sonarcloud.io/dashboard?id=bootstrapper) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=bootstrapper&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=bootstrapper) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=bootstrapper&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=bootstrapper) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=bootstrapper&metric=security_rating)](https://sonarcloud.io/dashboard?id=bootstrapper) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/codebeltnet/bootstrapper/badge)](https://scorecard.dev/viewer/?uri=github.com/codebeltnet/bootstrapper) + +An open-source family of assemblies (MIT license) that provide a uniform and consistent way of bootstraping your code with Program.cs paired with Startup.cs -OR- using the new `Minimal` equivalent for all project types. + ## Codebelt.Bootstrapper The core types of this lightweight boostrapper framework optimized for console apps, providing a uniform and consistent implementation of: