diff --git a/.github/workflows/ghcr-publish.yml b/.github/workflows/_disabled/ghcr-publish.yml similarity index 84% rename from .github/workflows/ghcr-publish.yml rename to .github/workflows/_disabled/ghcr-publish.yml index aa1b8dd..b9e21da 100644 --- a/.github/workflows/ghcr-publish.yml +++ b/.github/workflows/_disabled/ghcr-publish.yml @@ -12,7 +12,7 @@ jobs: steps: - uses: actions/checkout@v5 - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 + - uses: docker/login-actionbdaa0721073962dff0199f1fb9940f@07167d1 with: registry: ghcr.io username: ${{ github.actor }} @@ -24,7 +24,7 @@ jobs: tags: | type=raw,value=latest type=ref,event=tag - - uses: docker/build-push-action@v6 + - uses: docker/build-push-actiond21b8e681c14492fe198d362@a7d2c83 with: context: . push: true diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/_disabled/publish-pypi.yml similarity index 100% rename from .github/workflows/publish-pypi.yml rename to .github/workflows/_disabled/publish-pypi.yml diff --git a/.github/workflows/_disabled/release-sbom.yml b/.github/workflows/_disabled/release-sbom.yml new file mode 100644 index 0000000..8414bd7 --- /dev/null +++ b/.github/workflows/_disabled/release-sbom.yml @@ -0,0 +1,37 @@ +name: release-sbom +on: + release: + types: [published] + +permissions: + id-token: write + contents: write + +jobs: + sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Generate SBOM (CycloneDX JSON) + uses: anchore/sbom-action@c73dd3f93ab542b7902df62a6ee5ad763179fa7b + with: + path: . + format: cyclonedx-json + output-file: sbom-cyclonedx.json + - name: Install cosign + uses: sigstore/cosign-installer@v3 + - name: Sign SBOM (keyless OIDC) + run: | + cosign sign-blob --yes \ + --output-signature sbom-cyclonedx.json.sig \ + --output-certificate sbom-cyclonedx.json.crt \ + sbom-cyclonedx.json + - name: Attach SBOM to release + uses: softprops/action-gh-releasecbd405e2c4e67a21c47fa9e383d020e4@e28b836 + with: + files: | + sbom-cyclonedx.json + sbom-cyclonedx.json.sig + sbom-cyclonedx.json.crt diff --git a/.github/workflows/slsa.yml b/.github/workflows/_disabled/slsa.yml similarity index 94% rename from .github/workflows/slsa.yml rename to .github/workflows/_disabled/slsa.yml index 30ec7bb..dbaec36 100644 --- a/.github/workflows/slsa.yml +++ b/.github/workflows/_disabled/slsa.yml @@ -3,6 +3,7 @@ on: release: { types: [published] } workflow_dispatch: permissions: + attestations: write contents: write id-token: write jobs: diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 7a49345..df3e9bc 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-nodeea5288caeca8642d1e84afbd3f7d@6820020 with: { node-version: "20" } - run: npm ci # Placeholder para fuzz real; mantener job verde diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 413ab59..83b0d8f 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,7 +9,7 @@ jobs: label: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v6 + - uses: actions/labeleredcd8ababfe52f92936142cc22a@c488b1b with: repo-token: ${{ secrets.GITHUB_TOKEN }} sync-labels: true diff --git a/.github/workflows/release-sbom.yml b/.github/workflows/release-sbom.yml deleted file mode 100644 index b57909b..0000000 --- a/.github/workflows/release-sbom.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: release-sbom -on: - release: - types: [published] - -permissions: - contents: write - -jobs: - sbom: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - with: - fetch-depth: 0 - - name: Generate SBOM (CycloneDX JSON) - uses: anchore/sbom-action@c73dd3f93ab542b7902df62a6ee5ad763179fa7b - with: - path: . - format: cyclonedx-json - output-file: sbom-cyclonedx.json - - name: Attach SBOM to release - uses: softprops/action-gh-release@v2 - with: - files: sbom-cyclonedx.json diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3a9cdeb..f676b40 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -30,7 +30,7 @@ jobs: with: results_file: results.sarif results_format: sarif - publish_results: false + publish_results: true - name: Upload SARIF to code scanning uses: github/codeql-action/upload-sarif@v3 diff --git a/.gitignore b/.gitignore index 2718c71..5c2ed93 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ _ci_redfix/ # local artifacts _ci_local/ .tools/ +_ci_diag/ diff --git a/.prettierignore b/.prettierignore index 36dd1bb..12c6c6a 100644 --- a/.prettierignore +++ b/.prettierignore @@ -9,3 +9,4 @@ poetry.lock pnpm-lock.yaml pnpm-lock.yaml +_ci_diag/ diff --git a/Dockerfile b/Dockerfile index 43cb196..0349e9a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox:stable-glibc +FROM busybox:stable-glibc@sha256:4a35a7836fe08f340a42e25c4ac5eef4439585bbbb817b7bd28b2cd87c742642 LABEL org.opencontainers.image.title="ci-matrix-starter" LABEL org.opencontainers.image.description="Reusable GitHub Actions CI for Python/TypeScript with SBOM & optional signing" LABEL org.opencontainers.image.source="https://github.com/CoderDeltaLAN/ci-matrix-starter" diff --git a/package-lock.json b/package-lock.json index 0022979..742fa8d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@CoderDeltaLAN/ci-matrix-starter", - "version": "0.1.7", + "version": "0.1.8", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@CoderDeltaLAN/ci-matrix-starter", - "version": "0.1.7", + "version": "0.1.8", "devDependencies": { "@eslint/js": "^9.0.0", "@types/node": "^24.5.2", diff --git a/package.json b/package.json index a51255a..27b71e3 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@CoderDeltaLAN/ci-matrix-starter", - "version": "0.1.7", + "version": "0.1.8", "private": true, "type": "module", "scripts": {