From c838916ed16d61a4ca50f0f4432467c1fdf99913 Mon Sep 17 00:00:00 2001 From: Matt Travi Date: Thu, 11 May 2023 20:37:42 -0500 Subject: [PATCH] :sparkles: Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi --- checks/permissions_test.go | 11 +++++++ checks/raw/permissions.go | 9 ++++++ ...tents-writes-release-semantic-release.yaml | 29 +++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release.yaml diff --git a/checks/permissions_test.go b/checks/permissions_test.go index 189156f3c25..41f42f105bf 100644 --- a/checks/permissions_test.go +++ b/checks/permissions_test.go @@ -279,6 +279,17 @@ func TestGithubTokenPermissions(t *testing.T) { NumberOfDebug: 4, }, }, + { + name: "release workflow contents write semantic-release", + filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release.yaml"}, + expected: scut.TestReturn{ + Error: nil, + Score: checker.MaxResultScore, + NumberOfWarn: 0, + NumberOfInfo: 2, + NumberOfDebug: 4, + }, + }, { name: "package workflow write", filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-packages-writes.yaml"}, diff --git a/checks/raw/permissions.go b/checks/raw/permissions.go index 4bcded5a025..2bbc29a923e 100644 --- a/checks/raw/permissions.go +++ b/checks/raw/permissions.go @@ -469,6 +469,15 @@ func isReleasingWorkflow(workflow *actionlint.Workflow, fp string, pdata *permis }, LogText: "candidate python publishing workflow using python-semantic-release", }, + { + // Commonly JavaScript packages, but supports multiple ecosystems + Steps: []*fileparser.JobMatcherStep{ + { + Run: "npx.*semantic-release", + }, + }, + LogText: "candidate publishing workflow using semantic-release", + }, { // Go binaries. Steps: []*fileparser.JobMatcherStep{ diff --git a/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release.yaml b/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release.yaml new file mode 100644 index 00000000000..a1f74c29895 --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release.yaml @@ -0,0 +1,29 @@ +# Copyright 2022 Security Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +name: semantic-release release workflow +on: [push] +permissions: + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + - name: semantic-release + run: npx -p @semantic-release/git semantic-release + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }}