Skip to content

Commit

Permalink
scorecards - update with review comments
Browse files Browse the repository at this point in the history
Signed-off-by: Nigel Jones <jonesn@uk.ibm.com>
  • Loading branch information
planetf1 committed Jun 24, 2024
1 parent 31ec061 commit 373d17f
Showing 1 changed file with 8 additions and 5 deletions.
13 changes: 8 additions & 5 deletions docs/PROCEDURES.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ The OpenSSF, via the [scorecard](https://securityscorecards.dev/) project recomm
dependencies they use:

* to ensure reproducibility
* to reduce the change for rogue dependency updates to compromise software
* to reduce the risk for rogue dependency updates to compromise software

It's important to note that this requires any changes to dependencies are properly reviews, and
It's important to note that this requires any changes to dependencies are properly review, and
these changes, by design, should not be automatic in themselves, though automated tools may provide recommendations.

### Python dependencies
Expand All @@ -19,7 +19,7 @@ This is done by:
* Using the `--require-hashes` option on any `pip install` command line
* Adding the required hash in the `requirements.txt`

Currently this is used withou `.github/workflows` but the same principle applies elsewhere.
Currently this is used within `.github/workflows` but the same principle applies elsewhere.

To make this easier, a version of the `requirements.txt` without hashes has been saved as `requirements.in`. This is
to make maintenance easier, but it is not used at script execution time.
Expand All @@ -33,7 +33,7 @@ This is done by:

This will update requirements.txt with the correct hashes.

Correction function should be verified, and then both `requirements.txt` and `requirements.in` checked in.
Correct functionality should be verified, and then both `requirements.txt` and `requirements.in` checked in.

### Github Actions

Expand All @@ -54,10 +54,12 @@ by, for example, running:
pin-github-action unix.yml
```

This will update the hashes with the latest version if no pinned value is set.
This will add the appropriate hash if not present, and also update each hash in accordance with the comment.

For major updates, update the comment ie `pin@v4` to `pin@v5` and the tool will attempt to find the new hash.

A full explanation of how the tool operates can be found in the [documentation](https://github.com/mheap/pin-github-action).

To help in explanation here's an example of a similar code fragment between tool executions:

* Original entry is `uses: actions/checkout@v3`
Expand All @@ -67,3 +69,4 @@ To help in explanation here's an example of a similar code fragment between tool
* Now run `pin-github-action unix.yml` to correct the sha
* File now shows `uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4`

When changes have been made, correct functionality of the Github actions should be verified by reviewing the Github action logs and outputs. The SHA inserted by the tool can be searched for in Github to check it is associated with the expected version.

0 comments on commit 373d17f

Please sign in to comment.