From 67bb12a078f79a40e37f1968d6e3d7358ad19d56 Mon Sep 17 00:00:00 2001 From: Brandon Yee <6111102+Firebird1029@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:51:56 -1000 Subject: [PATCH] add OSSF Scorecard Report workflow Signed-off-by: Brandon Yee <6111102+Firebird1029@users.noreply.github.com> --- .github/workflows/scorecard_internal.yml | 39 +++++++++++++++++++++ .gitignore | 1 + scripts/scorecard_internal.sh | 44 ++++++++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 .github/workflows/scorecard_internal.yml create mode 100755 scripts/scorecard_internal.sh diff --git a/.github/workflows/scorecard_internal.yml b/.github/workflows/scorecard_internal.yml new file mode 100644 index 0000000000..49aea39828 --- /dev/null +++ b/.github/workflows/scorecard_internal.yml @@ -0,0 +1,39 @@ +name: Generate OSSF Scorecard Report for Internal Repositories + +on: + workflow_dispatch: {} + schedule: + # Weekly on Saturdays. + - cron: "30 1 * * 6" + +jobs: + update: + strategy: + matrix: + orgs: ["DSACMS", "Enterprise-CMCS", "CMS-Enterprise", "CMSgov"] + max-parallel: 1 + permissions: write-all + name: update + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + - name: Install OSSF CLI + run: docker pull gcr.io/openssf/scorecard:stable + - name: Run OSSF Scorecard Report script + run: ./scripts/scorecard_internal.sh ${{ matrix.orgs }} + env: + GITHUB_TOKEN: ${{ secrets.METRICS_GITHUB_TOKEN }} + - name: Commit changes + run: | + git config user.name 'GitHub Actions' + git config user.email 'actions@users.noreply.github.com' + git pull + git add -A + timestamp=$(date -u) + git commit -m "update ${{ matrix.orgs }} data: ${timestamp}" || exit 0 + - name: Push to ${{ github.ref_name }} + uses: CasperWA/push-protected@v2 + with: + token: ${{ secrets.METRICS_GITHUB_TOKEN }} + branch: ${{ github.ref_name }} diff --git a/.gitignore b/.gitignore index af93dc4517..0ec4f62a64 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ scripts/__pycache__ # SCC COCOMO scripts/scc_repos/ scripts/scc_reports/ +scripts/ossf_reports/ diff --git a/scripts/scorecard_internal.sh b/scripts/scorecard_internal.sh new file mode 100755 index 0000000000..b43844ee07 --- /dev/null +++ b/scripts/scorecard_internal.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +organization="$1" +VERBOSE="${VERBOSE:-0}" + +if [ -z "$organization" ]; then + echo "Error: Organization name is required." + echo "Usage: ./script.sh ORGANIZATION_NAME" + exit 1 +fi + +if [[ -z "$GITHUB_TOKEN" ]]; then + echo "Error: GITHUB_TOKEN environment variable is required." + exit 1 +fi + +# set up working directory +cd scripts/ + +repo_paths=$(jq -r '."Open Source Projects"."'"$organization"'"[]' _metadata/projects_tracked.json) + +# set up directories +mkdir -p ossf_reports/ + +for repo_path in $repo_paths; do + [ "$VERBOSE" -eq 1 ] && echo "Processing repository: $repo_path" + + repo_name=$(basename $repo_path) + + # run OSSF CLI + docker run -e GITHUB_TOKEN gcr.io/openssf/scorecard:stable --repo=$repo_path --format=json >"ossf_reports/${repo_name}.json" + + # combine OSSF CLI results with repo metadata + jq -s '.[0] + {ossf_scorecard: .[1]}' "../app/site/_data/$organization/$repo_name/${repo_name}_data.json" "ossf_reports/${repo_name}.json" >"../app/site/_data/$organization/$repo_name/${repo_name}_ossf.json" + mv "../app/site/_data/$organization/$repo_name/${repo_name}_ossf.json" "../app/site/_data/$organization/$repo_name/${repo_name}_data.json" + + [ "$VERBOSE" -eq 1 ] && echo "Done processing repository: $repo_path" +done + +# clean up +rm -rf ossf_reports/ + +# print success message +echo "All repositories processed successfully for organization: $organization"