GitHub Actions Requests

This repository is meant to hold the setup for requesting actions to be used internally in paritytech organization

Process description

1. User creates a new issue in this repo
2. The review team gets a notification about the new issue (using this action: issue-comment-tag)
3. After manual review, the review team labels the issue with security-check
4. The workflow Issue labeled security scan is triggered. It will fork requested GHA to the paritytech-actions-sandbox org and execute several automated checks, enables dependabot-alerts
5. The results of all the checks are added back into the request issue
6. Info dependabot-alerts warnings, can be retrieved by labelling issue with load-dependabot-alerts. GitHub needs some time to create report after alerts enabled at step 4. Link to its findings will be posted to the issue
7. After reviewing the results and approving them, final-signoff tag applied and GHA will get forked to the main paritytech organization and becomes available for use.

Checks

Currently we run the following checks:

• Has the repo been setup with a CodeQL workflow?
• Has the repo been configured with Dependabot updates?
• If we fork the repo and enable Dependabot, do we get Security Alerts?
• If we fork the repo and enable CodeQL, do we get Security Alerts?
• If the action uses a container, we run a Trivy scan and check the alerts.

Configuration

For configuration of the workflows in this repository, we use the following secrets: