diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml deleted file mode 100644 index 5ecdc7f55..000000000 --- a/.github/workflows/codeql.yaml +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# Zero-configuration modular workflow to run CodeQL code scans. -# -# CodeQL is a semantic code analysis tool that finds vulnerabilities by -# understanding the code's logic. It is provided by GitHub. CodeQL's findings -# are reported in the repo's code-scanning results page, -# https://github.com/quantumlib/REPO/security/code-scanning/. -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -name: CodeQL code scan -run-name: Run CodeQL code scan ${{inputs.reason}} - -on: - pull_request: - types: [opened, synchronize] - branches: - - main - - master - - # Support merge queues. - merge_group: - types: - - checks_requested - - # Allow manual invocation. - workflow_dispatch: - - # Allow calling from nightly.yaml. - workflow_call: - inputs: - reason: - type: string - -# Declare default permissions as read only. -permissions: read-all - -jobs: - create-matrix: - name: Determine languages used - runs-on: ubuntu-24.04 - timeout-minutes: 5 - outputs: - language-matrix: ${{steps.matrix.outputs.languages}} - steps: - - name: Get list of programming languages used in this repo - id: matrix - uses: advanced-security/set-codeql-language-matrix@9f9ba17a61d34c97baaf17e96276389a0cd73392 - with: - access-token: ${{secrets.GITHUB_TOKEN}} - endpoint: ${{github.event.repository.languages_url}} - - codeql: - if: ${{needs.create-matrix.outputs.language-matrix != '[]'}} - name: Run CodeQL scanner for ${{matrix.language}} - needs: create-matrix - runs-on: ubuntu-24.04 - timeout-minutes: 10 - permissions: - actions: read - contents: read - packages: read - security-events: write - strategy: - fail-fast: false - matrix: - language: ${{fromJSON(needs.create-matrix.outputs.language-matrix)}} - steps: - - name: Check out a copy of the git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Initialize CodeQL scanning tool - uses: github/codeql-action/init@96f518a34f7a870018057716cc4d7a5c014bd61c # v3 - with: - languages: ${{matrix.language}} - queries: security-and-quality - config: | - paths-ignore: - - '**/*.gltf' - - '**/*.json' - - '**/*.md' - - '**/*.png' - - '**/*.rst' - - '**/*.svg' - - '**/*.stim' - - '**/*.txt' - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@96f518a34f7a870018057716cc4d7a5c014bd61c # v3 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/nightly-pytest.yaml b/.github/workflows/nightly-pytest.yaml index f5b3f6d06..5d5aa7244 100644 --- a/.github/workflows/nightly-pytest.yaml +++ b/.github/workflows/nightly-pytest.yaml @@ -74,7 +74,7 @@ jobs: steps: - name: Check out a copy of the OpenFermion git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Set up Python ${{matrix.python-version}} uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 29ce11d3c..1c267204b 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -13,14 +13,12 @@ # limitations under the License. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# Nightly tests and scans workflow. -# # This workflow runs nightly to run tests & scans on the OpenFermion codebase. # It can also be invoked manually via the "Run workflow" button at # https://github.com/quantumlib/OpenFermion/actions/workflows/nightly.yaml # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: 'Nightly tests & scans' +name: 'Nightly tests' run-name: Run nightly tests and code scans on: @@ -47,25 +45,3 @@ jobs: with: args: '--pre' reason: '(nightly)' - - codeql: - name: Nightly CodeQL code scan - uses: ./.github/workflows/codeql.yaml - permissions: write-all - with: - reason: '(nightly)' - - osv: - name: Nightly OSV code scan - uses: ./.github/workflows/osv-scanner.yaml - permissions: write-all - with: - reason: '(nightly)' - - scorecard: - name: Nightly Scorecard analysis - uses: ./.github/workflows/scorecard.yaml - permissions: write-all - secrets: inherit - with: - reason: '(nightly)' diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml index 92257ece6..5035de82c 100644 --- a/.github/workflows/osv-scanner.yaml +++ b/.github/workflows/osv-scanner.yaml @@ -20,18 +20,18 @@ # JavaScript, and others. The findings are reported in the repo's code-scanning # results page, https://github.com/quantumlib/REPO/security/code-scanning/. # -# The OSV project provides a GA workflow that you can reference as a step with +# Note: the OSV project provides a workflow you can reference as a step with # uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml. # Unfortunately, that workflow hardcodes some behaviors (such as uploading the -# SARIF file to the workflow Actions tab, which we rarely need). The workflow -# below is basically a heavily modified version of theirs. +# SARIF file to the workflow Actions tab, which we have never needed). The +# workflow in this file is basically a heavily modified version of theirs. # # For more OSV scanner examples and options, including how to ignore specific # vulnerabilities, see https://google.github.io/osv-scanner/github-action/. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: OSV code scan -run-name: Run OSV vulnerability scanner ${{inputs.reason}} +name: OSV known vulnerabilities scanner +run-name: Run OSV (open-source vulnerabilities) scanner ${{inputs.reason}} on: pull_request: @@ -45,20 +45,36 @@ on: types: - checks_requested - # Allow manual invocation. - workflow_dispatch: - - # Allow calling from nightly.yaml. + # Allow calling from other workflows. workflow_call: inputs: reason: + description: 'Append text to workflow run name:' type: string + debug: + description: 'Run with debugging options' + type: boolean + default: false + + # Allow manual invocation. + workflow_dispatch: + inputs: + debug: + description: 'Run with debugging options' + type: boolean + default: true -# Declare default permissions as read only. +# Declare default workflow permissions as read only. permissions: read-all +concurrency: + # Cancel any previously-started but still active runs on the same branch. + cancel-in-progress: true + group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} + jobs: osv-scan: + if: github.repository_owner == 'quantumlib' name: Run OSV scanner runs-on: ubuntu-24.04 timeout-minutes: 15 @@ -69,9 +85,12 @@ jobs: security-events: write # Needed to upload SARIF file to CodeQL. contents: read + env: + # Setting Bash SHELLOPTS here takes effect for all shell commands below. + SHELLOPTS: ${{inputs.debug && 'xtrace' || '' }} steps: - name: Check out a copy of the git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 @@ -82,10 +101,11 @@ jobs: - name: Run OSV scanner on existing code # yamllint disable rule:line-length - uses: google/osv-scanner-action/osv-scanner-action@456ceb78310755116e0a3738121351006286b797 # v2.2.1 + uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 continue-on-error: true with: scan-args: |- + --include-git-root --format=json --output=old-results.json --recursive @@ -99,10 +119,11 @@ jobs: - name: Run OSV scanner on new code # yamllint disable rule:line-length - uses: google/osv-scanner-action/osv-scanner-action@456ceb78310755116e0a3738121351006286b797 # v2.2.1 + uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 continue-on-error: true with: scan-args: |- + --include-git-root --format=json --output=new-results.json --recursive @@ -110,7 +131,7 @@ jobs: - name: Run the OSV scanner reporter # yamllint disable rule:line-length - uses: google/osv-scanner-action/osv-reporter-action@456ceb78310755116e0a3738121351006286b797 # v2.2.1 + uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 with: scan-args: |- --output=osv-results.sarif @@ -122,10 +143,18 @@ jobs: - name: Upload results to the repository's code-scanning results dashboard id: upload_artifact # yamllint disable rule:line-length - uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10 + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 with: sarif_file: osv-results.sarif + - if: github.event.inputs.debug == true + name: Upload results as artifacts to the workflow Summary page + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - name: Error troubleshooter if: ${{always() && steps.upload_artifact.outcome == 'failure'}} run: echo '::error::Artifact upload failed. Check the workflow logs.' diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard-scanner.yaml similarity index 72% rename from .github/workflows/scorecard.yaml rename to .github/workflows/scorecard-scanner.yaml index 6a93a2899..b060bc22f 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard-scanner.yaml @@ -36,27 +36,41 @@ on: types: - checks_requested - # Allow manual invocation. - workflow_dispatch: - # Allow calling from nightly.yaml. workflow_call: inputs: reason: + description: 'Append text to workflow run name:' type: string + debug: + description: 'Run with debugging options' + type: boolean + default: false -# Declare default permissions as read only. + # Allow manual invocation. + workflow_dispatch: + inputs: + debug: + description: 'Run with debugging options' + type: boolean + default: true + +# Declare default workflow permissions as read only. permissions: read-all jobs: scorecard: + if: github.repository_owner == 'quantumlib' name: Run Scorecard analyzer runs-on: ubuntu-24.04 - permissions: write-all + permissions: + actions: read + contents: read + security-events: write timeout-minutes: 15 steps: - name: Check out a copy of the git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: persist-credentials: false @@ -72,6 +86,14 @@ jobs: publish_results: true - name: Upload results to code-scanning dashboard - uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3 + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 with: sarif_file: scorecard-results.sarif + + - if: github.event.inputs.debug == true + name: Upload results as artifacts to the workflow Summary page + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml new file mode 100644 index 000000000..29f880b39 --- /dev/null +++ b/.github/workflows/weekly.yaml @@ -0,0 +1,71 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# Run weekly scans and other checks. +# +# This workflow calls other workflows to do code and other checks on a schedule. +# It can also be invoked manually via the "Run workflow" button at +# https://github.com/quantumlib/REPO/actions/workflows/weekly.yaml +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +name: Weekly tests +run-name: Run weekly tests and scans + +on: + schedule: + # Run on Mondays. + - cron: '0 10 * * 1' + + # Allow manual invocation. + workflow_dispatch: + inputs: + debug: + description: 'Run with debugging options' + type: boolean + default: true + +# Declare default workflow permissions as read only. +permissions: read-all + +concurrency: + # Cancel any previously-started but still active runs on the same branch. + cancel-in-progress: true + group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} + +jobs: + osv-code-scan: + if: github.repository_owner == 'quantumlib' + name: Run periodic open-source vulnerabilities scanner + uses: ./.github/workflows/osv-scanner.yaml + permissions: + actions: read + contents: read + security-events: write + with: + reason: '(weekly)' + debug: ${{github.event.inputs.debug || false}} + + scorecard-repo-scan: + if: github.repository_owner == 'quantumlib' + name: Run periodic Scorecard analysis + uses: ./.github/workflows/scorecard-scanner.yaml + permissions: + actions: read + contents: read + security-events: write + secrets: inherit + with: + reason: '(weekly)' + debug: ${{github.event.inputs.debug || false}}