Ossf/gha scorecard

[gimlichael]

This pull request includes several changes to the GitHub workflows and documentation for the project. The most important changes include adding a new workflow for Scorecard supply-chain security, updating the paths to ignore in the pipelines workflow, and modifying the README file to reflect deprecations and add a new badge.

GitHub Workflows:

• .github/workflows/scorecard.yml: Added a new workflow for Scorecard supply-chain security, which includes a schedule, push triggers, and steps for running analysis and uploading results.
• .github/workflows/pipelines.yml: Updated the paths-ignore section to exclude .github/** and changed the pattern for markdown files to '**/*.md'.

Documentation:

• README.md: Updated to indicate that support for .NET 6 and .NET 7 has been deprecated.
• README.md: Added an OpenSSF Scorecard badge to the list of badges.

Summary by CodeRabbit

• New Features

  • Introduced a new deployment job in the pipeline for streamlined application deployment.
  • Added a new workflow for supply-chain security analysis, automating security metrics reporting.

• Documentation

  • Updated README to reflect deprecation of support for .NET 6 and .NET 7.
  • Enhanced CI/CD documentation to indicate migration to GitHub Actions and revised branching strategy.

• Bug Fixes

  • Improved pipeline structure for better job execution and testing across environments.

[coderabbitai]

Walkthrough

The pull request introduces multiple updates to the workflow configurations and documentation of the Savvyi I/O project. Key changes include enhancements to the existing pipeline in .github/workflows/pipelines.yml, the addition of a new security analysis workflow in .github/workflows/scorecard.yml, and significant updates to the README.md regarding .NET support and CI/CD practices. These modifications improve the structure, clarity, and security analysis capabilities of the project.

Changes

File	Change Summary
.github/workflows/pipelines.yml	- Updated paths-ignore to **/*.md for broader Markdown file exclusion. - Added deploy job with conditional execution. - Updated build job to calculate version. - Modified test job to include matrix strategy. - Structured sonarcloud, codecov, and codeql jobs to depend on build and test jobs.
.github/workflows/scorecard.yml	- Introduced new workflow for supply-chain security analysis triggered by branch protection, schedule, and pushes. - Added analysis job with steps for code checkout, security analysis, artifact upload, and code scanning upload.
README.md	- Deprecated support for .NET 6 and .NET 7, noting version 3.0.0 as the last for .NET 6. - Updated CI/CD practices to reflect migration to GitHub Actions. - Revised branching strategy to a trunk based approach, indicating maintenance of only the main branch.

Possibly related PRs

• 📝 updated to reflect change to trunk based development #19: The changes in the README.md regarding the transition to GitHub Actions for CI/CD practices are related to the updates made in the main PR's workflow configuration in .github/workflows/pipelines.yml, which also involves GitHub Actions.

🐇 In the fields so wide and green,
Savvyi I/O shines, a sight unseen.
With workflows fresh and docs anew,
.NET's past, we bid adieu.
From Azure's hold to GitHub's embrace,
Our code now dances at a faster pace! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (5)

.github/workflows/scorecard.yml (1)

1-10: Consider optimizing the schedule timing

The workflow is scheduled to run every Tuesday at 17:45 UTC. Consider running it during off-peak hours to minimize resource contention with other workflows.

-    - cron: '45 17 * * 2'
+    - cron: '0 2 * * 2'  # Run at 2 AM UTC on Tuesdays

.github/workflows/pipelines.yml (2)

Line range hint 214-224: Consider adding deployment safeguards.

The deploy job is well-structured with:

• ✅ Appropriate conditional execution preventing PR deployments
• ✅ Comprehensive dependencies on all quality gates
• ✅ Production environment usage
• ✅ Proper version management

Consider these enhancements:

1. Add deployment approval gates using environment protection rules
2. Implement retry mechanism for NuGet push to handle transient failures

Example configuration for retry mechanism:

       - uses: codebeltnet/nuget-push@v1
         with:
           token: ${{ secrets.NUGET_TOKEN }}
           configuration: ${{ inputs.configuration == '' && 'Release' || inputs.configuration }}
+          retryAttempts: 3
+          retryDelay: 10000

---

Security improvements needed for GitHub Actions workflow

1. All custom actions are using major version tags (e.g., @v1, @v2, @v3) instead of specific commit hashes, which could allow for potential supply chain attacks if the actions are compromised.
2. No timeout limits are set for any jobs, which could lead to excessive resource consumption or hung jobs.

Recommended changes:

• Pin all actions to specific commit hashes instead of major versions (e.g., @{commit-hash})
• Add timeout-minutes to each job to prevent indefinite runs
• Consider using official GitHub Actions where possible to reduce third-party dependencies

🔗 Analysis chain

Line range hint 1-224: Verify custom actions security.

The workflow heavily relies on custom actions from the codebeltnet organization. While this provides consistency, it's important to:

1. Ensure these actions are maintained and regularly updated for security
2. Consider adding timeout limits to prevent long-running jobs
3. Pin action versions to specific commits instead of major versions for better security

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check the last update dates and versions of custom actions used in the workflow

# List all custom actions and their versions
echo "Checking custom actions versions and last updates..."
rg "uses: codebeltnet/([a-zA-Z0-9-]+)@v\d+" -o | sort -u | while read -r action; do
  echo "Action: $action"
  # Extract action name and version
  name=$(echo "$action" | cut -d'/' -f2 | cut -d'@' -f1)
  
  # Use GitHub API to check last update
  gh api "repos/codebeltnet/$name" --jq '.updated_at + " | Stars: " + (.stargazers_count|tostring) + " | Open Issues: " + (.open_issues_count|tostring)'
done

Length of output: 190

---

Script:

#!/bin/bash
# Let's try a different approach to analyze the custom actions usage

# First, let's extract all the custom actions and their versions
echo "Custom actions usage:"
rg "uses:\s+codebeltnet/[^\s]+" .github/workflows/pipelines.yml

# Check for timeout settings
echo -e "\nTimeout settings:"
rg "timeout-minutes:" .github/workflows/pipelines.yml

# Check if any actions are pinned to specific commits
echo -e "\nCommit hash pinned actions:"
rg "uses:\s+\S+@[0-9a-f]{40}" .github/workflows/pipelines.yml

Length of output: 1762

README.md (2)

25-25: Format the documentation URL using proper markdown syntax.

The bare URL should be formatted as a proper markdown link for better readability and maintainability.

Apply this change:

-Full documentation (generated by [DocFx](https://github.com/dotnet/docfx)) located here: https://docs.savvyio.net/
+Full documentation (generated by [DocFx](https://github.com/dotnet/docfx)) is located here: [https://docs.savvyio.net/](https://docs.savvyio.net/)

🧰 Tools

🪛 Markdownlint

25-25: null
Bare URL used

(MD034, no-bare-urls)

---

29-29: Fix grammar in the code quality analysis statement.

There's a subject-verb agreement issue in the sentence.

Apply this change:

-All code quality analysis are done by [SonarCloud](https://sonarcloud.io/) and [CodeCov.io](https://codecov.io/).
+All code quality analysis is done by [SonarCloud](https://sonarcloud.io/) and [CodeCov.io](https://codecov.io/).

🧰 Tools

🪛 LanguageTool

[grammar] ~29-~29: The verb form ‘are’ does not appear to fit in this context.
Context: ...odebeltnet) umbrella. All code quality analysis are done by [SonarCloud](https://sonarcloud...

(SINGULAR_NOUN_VERB_AGREEMENT)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 108b1a3 and 9140c36.

📒 Files selected for processing (3)

• .github/workflows/pipelines.yml (1 hunks)
• .github/workflows/scorecard.yml (1 hunks)
• README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[grammar] ~29-~29: The verb form ‘are’ does not appear to fit in this context.
Context: ...odebeltnet) umbrella. All code quality analysis are done by [SonarCloud](https://sonarcloud...

(SINGULAR_NOUN_VERB_AGREEMENT)

🪛 Markdownlint

README.md

25-25: null
Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (6)

.github/workflows/scorecard.yml (3)

11-18: LGTM! Well-structured job configuration

The job permissions follow the principle of least privilege by explicitly declaring only the required write permissions for security-events and id-token.

---

1-42: Verify workflow completeness against OSSF best practices

Let's verify if the workflow includes all recommended components and follows OSSF Scorecard best practices.

#!/bin/bash
# Check for common OSSF Scorecard workflow patterns
echo "Checking for common required steps..."

# Check if other repositories use additional important steps
gh api graphql -f query='
{
  search(query: "filename:scorecard.yml path:.github/workflows", type: CODE, first: 10) {
    nodes {
      ... on CodeResult {
        repository {
          nameWithOwner
        }
        file {
          text
        }
      }
    }
  }
}' | jq -r '.data.search.nodes[].file.text'

---

25-31: Verify the latest version of scorecard-action

The workflow uses ossf/[email protected]. Let's verify if this is the latest stable version.

.github/workflows/pipelines.yml (1)

9-9: LGTM! More explicit glob pattern.

The updated pattern **/*.md follows standard glob pattern conventions and is more explicit about matching Markdown files.

README.md (2)

19-23: LGTM! Clear deprecation notice with proper versioning information.

The deprecation notice is well-structured and provides clear information about the last supported versions for both .NET 6 and .NET 7, along with a reference to the .NET support lifecycle.

---

31-31: LGTM! Well-integrated OpenSSF Scorecard badge.

The OpenSSF Scorecard badge is properly integrated with the existing badges, maintaining consistent formatting and providing valuable security posture information.

[coderabbitai]

🛠️ Refactor suggestion

Consider extending the artifact retention period

A 5-day retention period for security analysis results might be too short for compliance and audit purposes. Consider extending this to at least 30 days.

-          retention-days: 5
+          retention-days: 30

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: "Upload artifact"
	uses: actions/upload-artifact@v4
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 5
	- name: "Upload artifact"
	uses: actions/upload-artifact@v4
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 30

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.54%. Comparing base (d943657) to head (9140c36).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #30   +/-   ##
=======================================
  Coverage   89.54%   89.54%           
=======================================
  Files         158      158           
  Lines        3289     3289           
  Branches      331      331           
=======================================
  Hits         2945     2945           
  Misses        342      342           
  Partials        2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud