From 5ef4219422ac290f9a256f829f1ced0b99b3b571 Mon Sep 17 00:00:00 2001 From: immutable-art <138187673+immutable-art@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:26:40 +1100 Subject: [PATCH 1/6] ITSEC-2280 Add Dependency Review job; Add SBOM signing. --- .github/workflows/publish.yaml | 7 +++++++ .github/workflows/test.yml | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index a326b55c..e3dddef3 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -9,6 +9,8 @@ jobs: publish: name: Publish to NPM runs-on: ubuntu-latest + permissions: + attestations: write steps: - name: Checkout uses: actions/checkout@v2 @@ -58,6 +60,11 @@ jobs: run: | rm -rf dist && yarn build + - name: Generate SDK attestation + uses: actions/attest-build-provenance@v1 + with: + subject-path: './dist' + - name: Publish package uses: JS-DevTools/npm-publish@v1 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 23440ac7..cc98a486 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -92,6 +92,16 @@ jobs: uses: actions/checkout@v3 - name: Run check script run: sh readmecheck.sh + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4 + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + # Possible values: "critical", "high", "moderate", "low" + fail-on-severity: critical publish: name: Publish to NPM (dry run) runs-on: ubuntu-latest From fe7525dccce9d5a9e1858a21dbbe2adb9c43fbba Mon Sep 17 00:00:00 2001 From: immutable-art <138187673+immutable-art@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:32:33 +1100 Subject: [PATCH 2/6] ITSEC-2280 Update CODEOWNERS to include Product Security on .github --- CODEOWNERS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CODEOWNERS b/CODEOWNERS index cdac4be2..ded11ede 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,5 @@ +.github @immutable/assets @immutable/traders @immutable/prodsec + /clients @immutable/assets /abi @immutable/assets From 1a69bc0499abdbd232263a87bea091853c98eaaa Mon Sep 17 00:00:00 2001 From: immutable-art <138187673+immutable-art@users.noreply.github.com> Date: Fri, 11 Oct 2024 14:41:49 +1100 Subject: [PATCH 3/6] ITSEC-2280: Fix the dependency review action Signed-off-by: immutable-art <138187673+immutable-art@users.noreply.github.com> --- .github/workflows/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cc98a486..5c21fbd0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -102,6 +102,10 @@ jobs: with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical + + # Address https://github.com/actions/dependency-review-action/issues/456 + base-ref: ${{ github.event.pull_request.base.sha || github.event.repository.default_branch }} + head-ref: ${{ github.event.pull_request.head.sha || github.ref }} publish: name: Publish to NPM (dry run) runs-on: ubuntu-latest From 32fdfa773e94ca6afc54d53bbd7248a304d822cb Mon Sep 17 00:00:00 2001 From: immutable-art <138187673+immutable-art@users.noreply.github.com> Date: Wed, 16 Oct 2024 16:14:04 +1100 Subject: [PATCH 4/6] ITSEC-2280 Update permissions for GH attestations Signed-off-by: immutable-art <138187673+immutable-art@users.noreply.github.com> --- .github/workflows/publish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index e3dddef3..3ed332d1 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -10,7 +10,8 @@ jobs: name: Publish to NPM runs-on: ubuntu-latest permissions: - attestations: write + id-token: write # Required for GitHub Attestation + attestations: write # Required for GitHub Attestation steps: - name: Checkout uses: actions/checkout@v2 From 854541ebca7fecf67dc39d1b485406f1ea1e5b57 Mon Sep 17 00:00:00 2001 From: immutable-art <138187673+immutable-art@users.noreply.github.com> Date: Thu, 17 Oct 2024 10:19:11 +1100 Subject: [PATCH 5/6] ITSEC-2280: Add 'contracts' for artifact signing Signed-off-by: immutable-art <138187673+immutable-art@users.noreply.github.com> --- .github/workflows/publish.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 3ed332d1..ce70b810 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest permissions: id-token: write # Required for GitHub Attestation - attestations: write # Required for GitHub Attestation + attestations: write # Required for GitHub Attestation steps: - name: Checkout uses: actions/checkout@v2 @@ -64,7 +64,9 @@ jobs: - name: Generate SDK attestation uses: actions/attest-build-provenance@v1 with: - subject-path: './dist' + subject-path: | + dist + contracts - name: Publish package uses: JS-DevTools/npm-publish@v1 From 089b8b645b3adcdafd3201ffa65fede7c6bd3dd9 Mon Sep 17 00:00:00 2001 From: immutable-art <138187673+immutable-art@users.noreply.github.com> Date: Thu, 17 Oct 2024 11:50:58 +1100 Subject: [PATCH 6/6] ITSEC-2280: Add the remaining meta files for attestation Signed-off-by: immutable-art <138187673+immutable-art@users.noreply.github.com> --- .github/workflows/publish.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index ce70b810..91ffe8e6 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -67,6 +67,9 @@ jobs: subject-path: | dist contracts + README.md + LICENSE.md + package.json - name: Publish package uses: JS-DevTools/npm-publish@v1