feat(workflow): defined the details of the generated workflow

travi · travi · commit ca459445b418 · 2023-06-04T23:20:19.000-05:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -52,6 +52,7 @@
   "devDependencies": {
     "@cucumber/cucumber": "9.1.2",
     "@form8ion/commitlint-config": "1.0.51",
+    "@form8ion/core": "2.0.0",
     "@form8ion/eslint-config": "5.0.32",
     "@form8ion/eslint-config-cucumber": "1.4.1",
     "@form8ion/remark-lint-preset": "5.0.9",
diff --git a/src/scaffolder.js b/src/scaffolder.js
@@ -2,7 +2,61 @@ import {promises as fs} from 'node:fs';
 import {dump} from 'js-yaml';
 
 export default async function ({projectRoot, vcs: {owner, name, host}}) {
-  await fs.writeFile(`${projectRoot}/.github/workflows/scorecard.yml`, dump({}));
+  await fs.writeFile(
+    `${projectRoot}/.github/workflows/scorecard.yml`,
+    dump({
+      name: 'OpenSSF Scorecard',
+      on: {
+        // To guarantee Maintained check is occasionally updated.
+        // See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+        schedule: [{cron: '31 2 * * 1'}],
+        push: {branches: ['master']}
+      },
+      permissions: 'read-all',
+      jobs: {
+        analysis: {
+          name: 'Scorecard analysis',
+          'runs-on': 'ubuntu-latest',
+          permissions: {
+            // Needed to upload the results to code-scanning dashboard.
+            'security-events': 'write',
+            // Needed to publish results and get a badge (see publish_results below).
+            'id-token': 'write'
+          },
+          steps: [
+            {
+              name: 'Checkout code',
+              uses: 'actions/checkout@v3.1.0',
+              with: {'persist-credentials': false}
+            },
+            {
+              name: 'Run analysis',
+              uses: 'ossf/scorecard-action@v2.1.2',
+              with: {
+                results_file: 'results.sarif',
+                results_format: 'sarif',
+                publish_results: true
+              }
+            },
+            {
+              name: 'Upload artifact',
+              uses: 'actions/upload-artifact@v3.1.0',
+              with: {
+                name: 'SARIF file',
+                path: 'results.sarif',
+                'retention-days': 5
+              }
+            },
+            {
+              name: 'Upload to code-scanning',
+              uses: 'github/codeql-action/upload-sarif@v2.2.4',
+              with: {sarif_file: 'results.sarif'}
+            }
+          ]
+        }
+      }
+    })
+  );
 
   return {
     ...'github' === host && {
diff --git a/src/scaffolder.test.js b/src/scaffolder.test.js
@@ -21,7 +21,56 @@ describe('scaffolder', () => {
   });
 
   it('should return scaffolding results', async () => {
-    when(jsYaml.dump).calledWith({}).mockReturnValue(dumpedYaml);
+    when(jsYaml.dump)
+      .calledWith({
+        name: 'OpenSSF Scorecard',
+        on: {
+          schedule: [{cron: '31 2 * * 1'}],
+          push: {branches: ['master']}
+        },
+        permissions: 'read-all',
+        jobs: {
+          analysis: {
+            name: 'Scorecard analysis',
+            'runs-on': 'ubuntu-latest',
+            permissions: {
+              'security-events': 'write',
+              'id-token': 'write'
+            },
+            steps: [
+              {
+                name: 'Checkout code',
+                uses: 'actions/checkout@v3.1.0',
+                with: {'persist-credentials': false}
+              },
+              {
+                name: 'Run analysis',
+                uses: 'ossf/scorecard-action@v2.1.2',
+                with: {
+                  results_file: 'results.sarif',
+                  results_format: 'sarif',
+                  publish_results: true
+                }
+              },
+              {
+                name: 'Upload artifact',
+                uses: 'actions/upload-artifact@v3.1.0',
+                with: {
+                  name: 'SARIF file',
+                  path: 'results.sarif',
+                  'retention-days': 5
+                }
+              },
+              {
+                name: 'Upload to code-scanning',
+                uses: 'github/codeql-action/upload-sarif@v2.2.4',
+                with: {sarif_file: 'results.sarif'}
+              }
+            ]
+          }
+        }
+      })
+      .mockReturnValue(dumpedYaml);
 
     expect(await scaffold({projectRoot, vcs: {owner, name, host: 'github'}}))
       .toEqual({
diff --git a/test/integration/features/step_definitions/workflow-steps.js b/test/integration/features/step_definitions/workflow-steps.js
@@ -1,9 +1,8 @@
-import {promises as fs} from 'node:fs';
-import {load} from 'js-yaml';
+import {fileExists} from '@form8ion/core';
 
 import {Then} from '@cucumber/cucumber';
 import {assert} from 'chai';
 
 Then('the workflow is defined', async function () {
-  assert.deepEqual(load(await fs.readFile(`${this.projectRoot}/.github/workflows/scorecard.yml`, 'utf-8')), {});
+  assert.isTrue(await fileExists(`${this.projectRoot}/.github/workflows/scorecard.yml`));
 });
