OpenVisualCloud · Mionsz · Dec 3, 2024 · Dec 3, 2024 · Dec 3, 2024 · Dec 18, 2024
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -13,7 +13,7 @@ concurrency:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: 'Harden Runner'
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -19,56 +19,99 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  hadolint:
+  hadolint-main-dockerfile:
     name: dockerfile lint
     permissions:
+      actions: read
       security-events: write
-    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    runs-on: ubuntu-22.04
     steps:
+    - name: 'setup: harden runner'
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
     - name: "setup: checkout repo"    
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-    - name: Create sarif output folder
-      run: mkdir -p "${{ github.workspace }}/sarif"
-
-    - name: "scan: ./Dockerfile hadolint scan sarif output"
-      uses: hadolint/hadolint-action@v3.1.0
+    - name: "scan: ./Dockerfile hadolint scan tty output"
+      uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
       with:
-        dockerfile: Dockerfile
+        dockerfile: "${{ github.workspace }}/Dockerfile"
         config: .github/configs/hadolint.yaml
-        format: sarif
-        output-file: "${{ github.workspace }}/sarif/main-${{ env.HADOLINT_RESULTS_FILE }}"
+        format: tty
         no-fail: false
-        failure-threshold: info 
+        failure-threshold: info
 
-    - name: "scan: .sources/Dockerfile.sources hadolint scan sarif output"
-      uses: hadolint/hadolint-action@v3.1.0
+    - name: "scan: .sources/Dockerfile.sources hadolint sarif output"
+      uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
       with:
-        dockerfile: .sources/Dockerfile.sources
+        dockerfile: "${{ github.workspace }}/Dockerfile"
         config: .github/configs/hadolint.yaml
         format: sarif
-        output-file: "${{ github.workspace }}/sarif/sources-${{ env.HADOLINT_RESULTS_FILE }}"
+        output-file: "${{ github.workspace }}/main-${{ env.HADOLINT_RESULTS_FILE }}"
         no-fail: true
-        failure-threshold: info 
+        failure-threshold: info
 
-    - name: "post: Upload results to security tab"
+    - name: "scan: Upload results to security tab"
       uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
       with:
-        sarif_file: "${{ github.workspace }}/sarif"
+        sarif_file: "${{ github.workspace }}/main-${{ env.HADOLINT_RESULTS_FILE }}"
+
+  hadolint-sources-dockerfile:
+    name: sources dockerfile lint
+    permissions:
+      actions: read
+      security-events: write
+    defaults:
+      run:
+        shell: bash
+    runs-on: ubuntu-22.04
+    steps:
+    - name: 'setup: harden runner'
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - name: "setup: checkout repo"    
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: "scan: ./Dockerfile hadolint scan tty output"
-      if: always()
-      uses: hadolint/hadolint-action@v3.1.0
+      uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
       with:
-        dockerfile: Dockerfile
+        dockerfile: "${{ github.workspace }}/.sources/Dockerfile.sources"
         config: .github/configs/hadolint.yaml
         format: tty
-        failure-threshold: warning
+        no-fail: false
+        failure-threshold: info
+
+    - name: "scan: .sources/Dockerfile.sources hadolint sarif output"
+      uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
+      with:
+        dockerfile: "${{ github.workspace }}/.sources/Dockerfile.sources"
+        config: .github/configs/hadolint.yaml
+        format: sarif
+        output-file: "${{ github.workspace }}/sources-${{ env.HADOLINT_RESULTS_FILE }}"
+        no-fail: true
+        failure-threshold: info
+
+    - name: "scan: Upload results to security tab"
+      uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+      with:
+        sarif_file: "${{ github.workspace }}/sources-${{ env.HADOLINT_RESULTS_FILE }}"
 
   shellcheck:
     name: shellcheck
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
+    - name: 'setup: harden runner'
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
     - name: "setup: checkout repo"    
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -4,13 +4,18 @@
 
 name: Scorecard supply-chain security
 on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        required: true
+        default: "main"
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '30 10 * * 0'
+    - cron: '45 0 * * *'
   push:
     branches: [ "main" ]
 
@@ -19,11 +24,9 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
       security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
       id-token: write
 
     steps: