From 7a1a1686a3d9306131416c2b36657d8588c3097f Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 17 Jun 2026 09:27:46 +0200 Subject: [PATCH] ci: add gitleaks, dependency-review, scorecard + explicit reusable permissions Bring the Security workflow to the standard netresearch posture: secret scanning (gitleaks), dependency review on PRs, and OpenSSF Scorecard, alongside the existing Node.js audit. Every reusable caller job declares its exact permission union (top-level `permissions: {}`), so the token is explicit and never relies on the repository default. Signed-off-by: Sebastian Mendel --- .github/workflows/scorecard.yml | 23 +++++++++++++++++++++++ .github/workflows/security.yml | 31 +++++++++++++++++++++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..83700db --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,23 @@ +name: OpenSSF Scorecard + +# Supply-chain posture scoring (branch protection, pinned actions, token +# permissions, …). Runs on default-branch push and on a weekly schedule; +# results upload to the code-scanning dashboard. + +on: + push: + branches: [main, master] + schedule: + - cron: '0 0 * * 0' + workflow_dispatch: + +permissions: {} + +jobs: + scorecard: + uses: netresearch/.github/.github/workflows/scorecard.yml@main + permissions: + contents: read + security-events: write + id-token: write + actions: read diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 67a8a4e..f56f19a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,14 +1,41 @@ name: Security +# Aggregated security scans: secret scanning (gitleaks), dependency review on +# PRs, and a Node.js dependency audit. +# +# Top-level `permissions: {}` denies everything by default; each reusable +# caller job re-declares the exact union its reusable requires, so the token +# passed to each reusable is fully explicit and never relies on the repo +# default (default_workflow_permissions). This is the same contract proven in +# netresearch/.github's go-app / php-module templates. + on: - pull_request: - branches: [main, master] push: branches: [main, master] + pull_request: + +permissions: {} jobs: + gitleaks: + uses: netresearch/.github/.github/workflows/gitleaks.yml@main + permissions: + contents: read + security-events: write + secrets: + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + + dependency-review: + if: github.event_name == 'pull_request' + uses: netresearch/.github/.github/workflows/dependency-review.yml@main + permissions: + contents: read + pull-requests: write + node-audit: uses: netresearch/.github/.github/workflows/node-audit.yml@main + permissions: + contents: read with: package-manager: yarn audit-level: high