taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 15:00:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
301 Commits 3 Branches 38 Tags
main
Commit Graph

13 Commits

Author SHA1 Message Date
DevITWay | Pavel Volkov
0c95fa9786 fix: revert codeql-action to tag in scorecard.yml (#105) 
Scorecard webapp verifies upload-sarif action by tag, not SHA.
Pinning to SHA causes imposter commit error on webapp submission.
 2026-04-06 02:38:06 +03:00
DevITWay | Pavel Volkov
69b7f1fb4e chore: pin dependencies to SHA digests for OpenSSF scorecard (#104) 
Pin scorecard-action and codeql-action to commit SHA in scorecard.yml.
Pin base images to digest in Dockerfile.redos and Dockerfile.astra.
Replace curl|bash with direct binary download for actionlint.
Remove unused pip install cargo-audit-sarif.
 2026-04-06 02:28:02 +03:00
devitway
975264c353 fix(deps): update rustls-webpki 0.103.9 -> 0.103.10 (RUSTSEC-2026-0049) 
Also revert codeql-action to tag pin in scorecard.yml —
scorecard webapp rejects SHA pins for this specific action.
 2026-03-20 23:07:09 +00:00
devitway
9709471485 fix: address code review findings 
- Pin slsa-github-generator and codeql-action by SHA (not tag)
- Replace anonymous tuple with GroupedActivity struct for readability
- Replace unwrap() with if-let for safety
- Add warning message on attestation failure instead of silent || true
- Fix clippy: map_or -> is_some_and
 2026-03-20 22:14:16 +00:00
devitway
07aed45518 fix: use tag for codeql-action in scorecard (webapp rejects SHA pins) 2026-03-19 10:42:14 +00:00
devitway
4ec963d41c fix: add repo_token and permissions to scorecard workflow 2026-03-19 10:35:57 +00:00
devitway
7f7e3e4986 fix: revert scorecard-action to tag (Docker action incompatible with SHA pin) 2026-03-19 10:33:27 +00:00
devitway
d51f176fd8 fix: use commit SHA for scorecard-action (not tag SHA) 2026-03-19 09:21:29 +00:00
devitway
34d30433cb fix: correct scorecard-action SHA pin for v2.4.3 2026-03-19 09:19:41 +00:00
DevITWay | Pavel Volkov
fbd2aa35e8 ci: improve OpenSSF Scorecard rating (#45) 
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
 2026-03-19 11:51:11 +03:00
devitway
bc9604bac3 fix: use tags for scorecard webapp verification 2026-03-17 11:04:48 +00:00
devitway
15d12d073a fix: use scorecard-action by tag for webapp verification 2026-03-17 11:02:14 +00:00
devitway
7df118d488 security: harden OpenSSF Scorecard compliance 
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
 2026-03-17 10:30:15 +00:00