feat: Add security-gates and update README (#1002)

This PR adds security-gates workflow and updates README with OpenSSF Scorecard badge.
Trendyol · Feb 6, 2025 · 17fcb02 · 17fcb02
1 parent 1750cdc
commit 17fcb02
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 0 deletions.
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,62 @@
+
+name: Scorecard supply-chain security
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '29 23 * * 3'
+  push:
+    branches: [ "main", "master"]
+  pull_request:
+    branches: ["main", "master"]
+
+permissions: read-all
+
+jobs:
+  visibility-check:
+    # Bu job, deponun public/private olduğunu belirler
+    outputs:
+      visibility: ${{ steps.drv.outputs.visibility }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine repository visibility
+        id: drv
+        run: |
+          visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility')
+          echo "visibility=$visibility" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  analysis:
+    if: ${{ needs.visibility-check.outputs.visibility == 'public' }}
+    needs: visibility-check
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+
diff --git a/.github/workflows/security-gates.yml b/.github/workflows/security-gates.yml
@@ -0,0 +1,21 @@
+name: Security Gates
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate Workflow
+        run: echo "Validation successful"
+
+  security-gates:
+    uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/baklava/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/baklava)
 <p align="center"><img src="https://user-images.githubusercontent.com/127687/233114483-c5b0a8e7-c072-4ced-a7b5-76bce1be4b21.svg" width="200" alt="Baklava Design System Logo" /></p>
 
 <h1 align="center">Baklava Design System</h1>