From 4cc5904d760f6282107ec562e694740b386d7ba7 Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Wed, 25 Feb 2026 11:57:39 -0300 Subject: [PATCH 1/8] feat: add GitHub Actions workflow for OpenSSF Scorecard analysis with scheduled runs and artifact uploads --- .github/workflows/scorecard.yml | 42 +++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..cfafcedd --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,42 @@ +name: OpenSSF Scorecard +on: + schedule: + - cron: "30 2 * * 1" # Run every Monday at 2:30 AM + push: + branches: [main] + +permissions: read-all + +jobs: + analysis: + name: Scorecard Analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4.6.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v3.26.10 + with: + sarif_file: results.sarif From eeeb4b194eace4aa4976544f3410dd522795f75c Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Wed, 25 Feb 2026 11:57:48 -0300 Subject: [PATCH 2/8] docs: add OpenSSF Scorecard badge to README for enhanced project visibility --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 26a61702..23af89d7 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ > **Status**: Pre-launch development (Expected launch: March 2026) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/oak-network/sdk/badge)](https://scorecard.dev/viewer/?uri=github.com/oak-network/sdk) + TypeScript SDK for the Oak Network Crowdsplit API. Build secure payment applications with type-safe interfaces, comprehensive error handling, and OAuth 2.0 authentication. --- From 033025865230cf49adaea7b728c3cbd28188caca Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Wed, 25 Feb 2026 16:22:45 -0300 Subject: [PATCH 3/8] chore: add Codecov workflow for automated coverage reporting on successful CI runs --- .github/workflows/codecov.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/codecov.yml diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml new file mode 100644 index 00000000..9741c5e3 --- /dev/null +++ b/.github/workflows/codecov.yml @@ -0,0 +1,34 @@ +name: Codecov + +on: + workflow_run: + workflows: [CI] + types: [completed] + branches: [main, develop] + +concurrency: + group: codecov-${{ github.event.workflow_run.id }} + cancel-in-progress: true + +jobs: + upload-coverage: + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: Download coverage artifact + uses: actions/download-artifact@v4 + with: + name: coverage-reports-20.x + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: Upload to Codecov + uses: codecov/codecov-action@v5 + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: packages/api/coverage/lcov.info + fail_ci_if_error: false + continue-on-error: true From d5bf3683d522513e518a614bc98c0eac8985b432 Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Wed, 25 Feb 2026 16:22:50 -0300 Subject: [PATCH 4/8] docs: add Codecov section to README for coverage reporting details --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 26a61702..2a00361b 100644 --- a/README.md +++ b/README.md @@ -547,6 +547,10 @@ CLIENT_SECRET=your_sandbox_client_secret OAK_ENVIRONMENT=sandbox ``` +### Code coverage + +Coverage is reported to [Codecov](https://about.codecov.io) after each successful CI run. The Codecov workflow runs separately with minimal permissions and uploads coverage from the API package. For uploads on pushes and pull requests from this repository, a `CODECOV_TOKEN` secret (from your organization or Codecov dashboard) may be required; when the token is not set, the upload step is skipped and the workflow still succeeds. + --- ## 📖 Documentation From a91e6b2df9f8a9affccd92c6e9196004f8a87e55 Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Wed, 25 Feb 2026 16:33:23 -0300 Subject: [PATCH 5/8] chore: update GitHub Actions workflow to include 'develop' branch for scorecard analysis --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index cfafcedd..1e42ea25 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -3,7 +3,7 @@ on: schedule: - cron: "30 2 * * 1" # Run every Monday at 2:30 AM push: - branches: [main] + branches: [main, develop] permissions: read-all From 5f4ce7b2bfcaaacd9912d5b7d63f4810f98c25d7 Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Wed, 25 Feb 2026 17:54:11 -0300 Subject: [PATCH 6/8] chore: update GitHub Actions workflow to restrict scorecard analysis to 'main' branch and upgrade upload-artifact action to v4.6.1 --- .github/workflows/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1e42ea25..aff0c025 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -3,7 +3,7 @@ on: schedule: - cron: "30 2 * * 1" # Run every Monday at 2:30 AM push: - branches: [main, develop] + branches: [main] permissions: read-all @@ -30,7 +30,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4.6.0 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: SARIF file path: results.sarif From fed7b47afa579771e65e0a1f2d09295e7ae0f2e4 Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Thu, 26 Feb 2026 09:05:01 -0300 Subject: [PATCH 7/8] chore: update Codecov workflow permissions to allow actions read access --- .github/workflows/codecov.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 9741c5e3..32161fbb 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -16,6 +16,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + actions: read steps: - name: Download coverage artifact From 1a653023e11c23c226d0a28845074c54cd92f153 Mon Sep 17 00:00:00 2001 From: andrefelizardo Date: Thu, 26 Feb 2026 16:36:22 -0300 Subject: [PATCH 8/8] docs: add Codecov and CodeQL badges to README for enhanced visibility --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f6916021..7871cfc0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ > **Status**: Pre-launch development (Expected launch: March 2026) -[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/oak-network/sdk/badge)](https://scorecard.dev/viewer/?uri=github.com/oak-network/sdk) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/oak-network/sdk/badge)](https://scorecard.dev/viewer/?uri=github.com/oak-network/sdk) [![Codecov](https://codecov.io/github/oak-network/sdk/graph/badge.svg)](https://app.codecov.io/github/oak-network/sdk) [![CodeQL](https://img.shields.io/github/actions/workflow/status/oak-network/sdk/codeql.yml?label=CodeQL&logo=github)](https://github.com/oak-network/sdk/actions/workflows/codeql.yml) TypeScript SDK for the Oak Network Crowdsplit API. Build secure payment applications with type-safe interfaces, comprehensive error handling, and OAuth 2.0 authentication.