diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml new file mode 100644 index 00000000..32161fbb --- /dev/null +++ b/.github/workflows/codecov.yml @@ -0,0 +1,35 @@ +name: Codecov + +on: + workflow_run: + workflows: [CI] + types: [completed] + branches: [main, develop] + +concurrency: + group: codecov-${{ github.event.workflow_run.id }} + cancel-in-progress: true + +jobs: + upload-coverage: + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + permissions: + contents: read + actions: read + + steps: + - name: Download coverage artifact + uses: actions/download-artifact@v4 + with: + name: coverage-reports-20.x + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: Upload to Codecov + uses: codecov/codecov-action@v5 + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: packages/api/coverage/lcov.info + fail_ci_if_error: false + continue-on-error: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..aff0c025 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,42 @@ +name: OpenSSF Scorecard +on: + schedule: + - cron: "30 2 * * 1" # Run every Monday at 2:30 AM + push: + branches: [main] + +permissions: read-all + +jobs: + analysis: + name: Scorecard Analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v3.26.10 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 26a61702..7871cfc0 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ > **Status**: Pre-launch development (Expected launch: March 2026) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/oak-network/sdk/badge)](https://scorecard.dev/viewer/?uri=github.com/oak-network/sdk) [![Codecov](https://codecov.io/github/oak-network/sdk/graph/badge.svg)](https://app.codecov.io/github/oak-network/sdk) [![CodeQL](https://img.shields.io/github/actions/workflow/status/oak-network/sdk/codeql.yml?label=CodeQL&logo=github)](https://github.com/oak-network/sdk/actions/workflows/codeql.yml) + TypeScript SDK for the Oak Network Crowdsplit API. Build secure payment applications with type-safe interfaces, comprehensive error handling, and OAuth 2.0 authentication. --- @@ -547,6 +549,10 @@ CLIENT_SECRET=your_sandbox_client_secret OAK_ENVIRONMENT=sandbox ``` +### Code coverage + +Coverage is reported to [Codecov](https://about.codecov.io) after each successful CI run. The Codecov workflow runs separately with minimal permissions and uploads coverage from the API package. For uploads on pushes and pull requests from this repository, a `CODECOV_TOKEN` secret (from your organization or Codecov dashboard) may be required; when the token is not set, the upload step is skipped and the workflow still succeeds. + --- ## 📖 Documentation