upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-02-03 20:40:00 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
mattermost/.github/workflows/scorecards-analysis.yml
Jesse Hallam 06b1bf3a51
MM-64878: FIPS Build (#33809) 
* pin to ubuntu-24.04

* always use FIPS compatible Postgres settings

* use sha256 for remote cluster IDs

* use sha256 for client config hash

* rework S3 backend to be FIPS compatible

* skip setup-node during build, since already in container

* support FIPS builds

* Dockerfile for FIPS image, using glibc-openssl-fips

* workaround entrypoint inconsistencies

* authenticate to DockerHub

* fix FIPS_ENABLED, add test-mmctl-fips

* decouple check-mattermost-vet from test/build steps

* fixup! decouple check-mattermost-vet from test/build steps

* only build-linux-amd64 for fips

* rm entrypoint workaround

* tweak comment grammar

* rm unused Dockerfile.fips (for now)

* ignore gpg import errors, since would fail later anyway

* for fips, only make package-linux-amd64

* set FIPS_ENABLED for build step

* Add a FIPS-specific list of prepackaged plugins

Note that the names are still temporary, since they are not uploaded to
S3 yet. We may need to tweak them when that happens.

* s/golangci-lint/check-style/

This ensures we run all the `check-style` checks: previously,
`modernize` was missing.

* pin go-vet to @v2, remove annoying comment

* add -fips to linux-amd64.tz.gz package

* rm unused setup-chainctl

* use BUILD_TYPE_NAME instead

* mv fips build to enterprise-only

* fixup! use BUILD_TYPE_NAME instead

* temporarily pre-package no plugins for FIPS

* split package-cleanup

* undo package-cleanup, just skip ARM, also test

* skip arm for FIPS in second target too

* fmt Makefile

* Revert "rm unused Dockerfile.fips (for now)"

This reverts commit 601e37e0ff.

* reintroduce Dockerfile.fips and align with existing Dockerfile

* s/IMAGE/BUILD_IMAGE/

* bump the glibc-openssl-fips version

* rm redundant comment

* fix FIPS checks

* set PLUGIN_PACKAGES empty until prepackaged plugins ready

* upgrade glibc-openssl-fips, use non-dev version for final stage

* another BUILD_IMAGE case

* Prepackage the FIPS versions of plugins

* relocate FIPS_ENABLED initialization before use

* s/Config File MD5/Config File Hash/

* Update the FIPS plugin names and encode the + sign

* add /var/tmp for local socket manipulation

---------

Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
2025-09-15 10:53:28 -03:00

61 lines
2.4 KiB
YAML
Raw Permalink Blame History

name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
- cron: "44 6 * * *"
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
if: github.repository_owner == 'mattermost'
runs-on: ubuntu-24.04
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v2.27.0
with:
sarif_file: results.sarif
Reference in a new issue View git blame Copy permalink