You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by re...@apache.org on 2023/01/26 00:46:30 UTC
[cxf] branch 3.6.x-fixes updated (1ccd8c89c3 -> af574713e4)
This is an automated email from the ASF dual-hosted git repository.
reta pushed a change to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
from 1ccd8c89c3 Bump jboss-logging from 3.4.3.Final to 3.5.0.Final (#1083)
new 3c0bc31cf4 Adding scorecards workflow
new 22d817d86f Adding scorecards to README
new 06fbea7c99 Bump actions/upload-artifact from 3.0.0 to 3.1.2 (#1089)
new 8d096300a5 Bump ossf/scorecard-action from 2.0.6 to 2.1.2 (#1088)
new af574713e4 Bump buildnumber-maven-plugin from 1.4 to 3.0.0 (#1086)
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.github/workflows/codeql-analysis.yml | 4 +--
.github/workflows/scorecards.yml | 62 +++++++++++++++++++++++++++++++++++
README.md | 1 +
core/pom.xml | 2 +-
4 files changed, 66 insertions(+), 3 deletions(-)
create mode 100644 .github/workflows/scorecards.yml
[cxf] 01/05: Adding scorecards workflow
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 3c0bc31cf4f6c754c21115b83c846ca17548817d
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jan 25 08:00:20 2023 +0000
Adding scorecards workflow
---
.github/workflows/codeql-analysis.yml | 4 +--
.github/workflows/scorecards.yml | 62 +++++++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6408e98701..005e1e0bad 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -7,10 +7,10 @@ name: "CodeQL"
on:
push:
- branches: ['master', '3.6.x-fixes']
+ branches: ['3.6.x-fixes']
pull_request:
# The branches below must be a subset of the branches above
- branches: ['master', '3.6.x-fixes']
+ branches: ['3.6.x-fixes']
#schedule:
#- cron: '0 18 * * 5'
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
new file mode 100644
index 0000000000..66357c82dc
--- /dev/null
+++ b/.github/workflows/scorecards.yml
@@ -0,0 +1,62 @@
+name: Scorecards supply-chain security
+on:
+ # Only the default branch is supported.
+ branch_protection_rule:
+ schedule:
+ - cron: '43 19 * * 1'
+ push:
+ branches: [ "3.6.x-fixes" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+ analysis:
+ name: Scorecards analysis
+ runs-on: ubuntu-latest
+ permissions:
+ # Needed to upload the results to code-scanning dashboard.
+ security-events: write
+ # Used to receive a badge.
+ id-token: write
+ # Needs for private repositories.
+ contents: read
+ actions: read
+
+ steps:
+ - name: "Checkout code"
+ uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d #tag=2.0.6
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # - you are installing Scorecards on a *private* repository
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+ # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+ # Publish the results for public repositories to enable scorecard badges. For more details, see
+ # https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
+ # of the value entered here.
+ publish_results: true
+
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
+ - name: "Upload artifact"
+ uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ # Upload the results to GitHub's code scanning dashboard.
+ - name: "Upload to code-scanning"
+ uses: github/codeql-action/upload-sarif@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 #tag=v2
+ with:
+ sarif_file: results.sarif
[cxf] 03/05: Bump actions/upload-artifact from 3.0.0 to 3.1.2 (#1089)
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 06fbea7c992e05c6f074f592303cef3416b43801
Author: dependabot[bot] <49...@users.noreply.github.com>
AuthorDate: Wed Jan 25 16:38:05 2023 +0000
Bump actions/upload-artifact from 3.0.0 to 3.1.2 (#1089)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.0.0 to 3.1.2.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/6673cd052c4cd6fcf4b4e6e60ea986c889389535...0b7f8abb1508181956e8e162db84b466c27e18ce)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <su...@github.com>
Signed-off-by: dependabot[bot] <su...@github.com>
Co-authored-by: dependabot[bot] <49...@users.noreply.github.com>
---
.github/workflows/scorecards.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 66357c82dc..c55ff4f934 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -49,7 +49,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+ uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # tag=v3.1.2
with:
name: SARIF file
path: results.sarif
[cxf] 02/05: Adding scorecards to README
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 22d817d86fb576479f6095a43d8f64521350b53d
Author: Colm O hEigeartaigh <co...@users.noreply.github.com>
AuthorDate: Wed Jan 25 09:31:09 2023 +0000
Adding scorecards to README
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index c6fd92291d..ee90558023 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
[](https://ci-builds.apache.org/job/CXF/job/CXF-JDK11/)
[](https://maven-badges.herokuapp.com/maven-central/org.apache.cxf/cxf)
[](https://lgtm.com/projects/g/apache/cxf/alerts/)
+[](https://api.securityscorecards.dev/projects/github.com/apache/cxf)
Welcome to Apache CXF!
======================
[cxf] 04/05: Bump ossf/scorecard-action from 2.0.6 to 2.1.2 (#1088)
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 8d096300a5e1ae096692f8b80a732c94155d86c5
Author: dependabot[bot] <49...@users.noreply.github.com>
AuthorDate: Wed Jan 25 12:10:01 2023 +0000
Bump ossf/scorecard-action from 2.0.6 to 2.1.2 (#1088)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.0.6 to 2.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/99c53751e09b9529366343771cc321ec74e9bd3d...e38b1902ae4f44df626f11ba0734b14fb91f8f86)
---
updated-dependencies:
- dependency-name: ossf/scorecard-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <su...@github.com>
Signed-off-by: dependabot[bot] <su...@github.com>
Co-authored-by: dependabot[bot] <49...@users.noreply.github.com>
---
.github/workflows/scorecards.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index c55ff4f934..c52c8aa195 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -30,7 +30,7 @@ jobs:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d #tag=2.0.6
+ uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 #tag=2.1.2
with:
results_file: results.sarif
results_format: sarif
[cxf] 05/05: Bump buildnumber-maven-plugin from 1.4 to 3.0.0 (#1086)
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit af574713e48f66c4ea067d05a4859e45360f3d2f
Author: dependabot[bot] <49...@users.noreply.github.com>
AuthorDate: Wed Jan 25 19:26:08 2023 -0500
Bump buildnumber-maven-plugin from 1.4 to 3.0.0 (#1086)
Bumps [buildnumber-maven-plugin](https://github.com/mojohaus/buildnumber-maven-plugin) from 1.4 to 3.0.0.
- [Release notes](https://github.com/mojohaus/buildnumber-maven-plugin/releases)
- [Commits](https://github.com/mojohaus/buildnumber-maven-plugin/compare/buildnumber-maven-plugin-1.4...buildnumber-maven-plugin-3.0.0)
---
updated-dependencies:
- dependency-name: org.codehaus.mojo:buildnumber-maven-plugin
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <su...@github.com>
Signed-off-by: dependabot[bot] <su...@github.com>
Co-authored-by: dependabot[bot] <49...@users.noreply.github.com>
---
core/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/pom.xml b/core/pom.xml
index d5d4b84fe1..a723d5ff13 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -236,7 +236,7 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>buildnumber-maven-plugin</artifactId>
- <version>1.4</version>
+ <version>3.0.0</version>
<executions>
<execution>
<id>create-noncanonicalrev</id>