secure-repo icon indicating copy to clipboard operation
secure-repo copied to clipboard

Published 20 hours ago verified publisher icon step-security

Update workflow templates to the latest versions

Open ashishkurmi opened this issue 1 year ago • 2 comments

Our workflow templates are using old action versions, we should update them to use the latest version instead: https://github.com/step-security/secure-repo/blob/main/workflow-templates/scorecards.yml#L39 should be updated to v2.1.3 https://github.com/step-security/secure-repo/blob/main/workflow-templates/dependency-review.yml#LL22C15-L22C47 should be updated to v3.0.4

We should also explore the possibility of automatically using the latest version when a PR is created to deploy our workflow templates.

ashishkurmi avatar May 10 '23 19:05 ashishkurmi

With the current version of dependency-review (i.e. v2) given by this tool (using it via https://app.stepsecurity.io/securerepo) does not work but gives an uninformative error message:

Run actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c
  with:
    repo-token: ***
    fail-on-severity: low
    fail-on-scopes: runtime
Error: Forbidden

See this run for example.

This issue is about the unclear message, and a fix for it has been already merged some time ago. With the latest version of dependency-review-action (v4.2.5) the error message is:

Error: Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/juhoinkinen/Annif/settings/security_analysis

juhoinkinen avatar Apr 07 '24 10:04 juhoinkinen

@shubham-stepsecurity can you please take this up? We should update the templates to use the latest major versions of all actions. For the scorecard-action, we should use ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3

varunsh-coder avatar Jul 03 '24 23:07 varunsh-coder