minder-profile.yaml

# Minder Profile to demo features
version: v1
type: profile
name: demo-profile
context:
  provider: github
alert: "on"
remediate: "on"
repository:
  - name: main-protection
    type: stacklok/branch_protection_enabled
    params:
      branch: main
    def: {}
  - name: main-disallow-force-push
    type: stacklok/branch_protection_allow_force_pushes
    params:
      branch: main
    def:
      allow_force_pushes: false
  - name: main-enforce-admins
    type: stacklok/branch_protection_enforce_admins
    params:
      branch: main
    def:
      enforce_admins: true
  - name: main-enforce-review
    type: stacklok/branch_protection_require_pull_request_approving_review_count
    params:
      branch: main
    def:
      required_approving_review_count: 1
  - type: stacklok/dependabot_configured
    name: python-dependabot
    def:
      package_ecosystem: pip
      schedule_interval: weekly
      apply_if_file: requirements.txt
  - type: stacklok/dependabot_configured
    name: ghaction-dependabot
    def:
      package_ecosystem: github-actions
      schedule_interval: weekly
  - type: stacklok/dependabot_configured
    name: go-dependabot
    def:
      package_ecosystem: gomod
      schedule_interval: daily
      apply_if_file: go.mod
  - type: stacklok/dependabot_configured
    name: node-dependabot
    def:
      package_ecosystem: npm
      schedule_interval: weekly
      only_if_file: package-lock.json
  - type: stacklok/dependabot_configured
    name: docker-dependabot
    def:
      package_ecosystem: docker
      schedule_interval: weekly
      only_if_file: Dockerfile
  - name: pin-actions
    type: stacklok/actions_check_pinned_tags
    def:
      exclude:
        - actions/checkout@v3
artifact:
  - type: stacklok/artifact_signature
    params:
      tags: [main]
      name: bad-python
    def:
      is_signed: true
      is_verified: true
pull_request:
  - type: stacklok/pr_vulnerability_check
    def:
      action: review
      ecosystem_config:
        - name: pypi
          vulnerability_database_type: osv
          vulnerability_database_endpoint: https://api.osv.dev/v1/query
          package_repository:
            url: https://pypi.org/pypi
        - name: npm
          vulnerability_database_type: osv
          vulnerability_database_endpoint: https://api.osv.dev/v1/query
          package_repository:
            url: https://registry.npmjs.org
        - name: go
          vulnerability_database_type: osv
          vulnerability_database_endpoint: https://api.osv.dev/v1/query
          package_repository:
            url: https://proxy.golang.org
          sum_repository:
            url: https://sum.golang.org
  - type: stacklok/pr_trusty_check
    def:
      action: summary
      ecosystem_config:
        - name: npm
          score: 5
        - name: pypi
          score: 5