Skip to content

chore: OSSF security baseline — CI, fuzzing, signed releases#10

Open
konih wants to merge 4 commits into
taito-project:mainfrom
konih:chore/maturity-baseline
Open

chore: OSSF security baseline — CI, fuzzing, signed releases#10
konih wants to merge 4 commits into
taito-project:mainfrom
konih:chore/maturity-baseline

Conversation

@konih

@konih konih commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

housekeeping PR — bumps OpenSSF Scorecard posture and makes the repo look maintained. no runtime behavior changes (except root help text).

what's in here

  • README badges — Scorecard, CI, Preflight, CodeQL, Fuzz, release
  • SECURITY.md — reporting, threat model, supply-chain verify instructions
  • CI workflows
    • scorecard.yaml — OpenSSF Scorecard (weekly + main)
    • codeql.yaml — Go SAST
    • preflight.yaml — go mod tidy/verify
    • fuzz.yaml — native Go fuzz 30s (ParseSemver, TagFromReference)
    • release.yaml — tag-triggered builds + cosign signed assets
  • hack/release-assets.sh + hack/sign-release-assets.sh — binaries, nfpm packages, checksums, sigstore bundles
  • dependabot, .golangci.yml, just lint, just vulncheck, CONTRIBUTING fixes
  • go 1.25.11 bump so govulncheck passes clean on stdlib CVEs

OpenSSF Scorecard checks this PR helps with

Check How
Security-Policy SECURITY.md
CI-Tests existing + new workflows surfaced via badges
SAST CodeQL
Fuzzing native Go fuzz in CI (internal/update, internal/ociref)
Signed-Releases cosign sign-blob*.sigstore.json on release assets
Dependency-Update-Tool Dependabot
Vulnerabilities govulncheck job in go-test.yml
Pinned-Dependencies pinned action SHAs in workflows
Token-Permissions minimal permissions: per workflow
Maintained scheduled jobs + dependabot activity

still repo-settings / follow-up

Check Notes
Branch-Protection require PR + CI on main
Code-Review require approving review
CII-Best-Practices OpenSSF Best Practices badge (separate enrollment)
OSS-Fuzz deferred — native fuzz covers parsers for now

first release after merge: push a v*.*.* tag (or workflow_dispatch with draft) to exercise release.yaml. Scorecard badge may take a run or two to update.

test: go test ./..., golangci-lint run ./..., just vulncheck, go test -run=^$ -fuzz=FuzzParseSemver -fuzztime=10s ./internal/update/...

konih added 4 commits June 6, 2026 18:18
Add OpenSSF Scorecard, CodeQL, and preflight workflows; dependabot;
README badges; golangci config; and CONTRIBUTING/justfile fixes.
Roadmap left unchanged.
Add security policy, native Go fuzz tests with weekly CI, and a tag-triggered
release workflow that builds binaries/packages and cosign-signs artifacts.
Run govulncheck on every push/PR, add just vulncheck, and bump the
toolchain patch version so reachable stdlib CVEs are cleared.
@larszi

larszi commented Jun 10, 2026

Copy link
Copy Markdown
Member

I really like the idea of automating the signing via the ci, however the current process works a bit different because of the npm packages we publish. I will have a look if we can just cherry-pick some sutff of this pr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants