--- /dev/null
+---
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2024 The Linux Foundation
+
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: 🔐 Security Scans
+on:
+ workflow_dispatch:
+ # For Branch-Protection check. Only the default branch is supported. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+ branch_protection_rule:
+ # To guarantee Maintained check is occasionally updated. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+ schedule:
+ - cron: "31 3 * * 0"
+ push:
+ branches: ["main", "master"]
+ paths:
+ - "**"
+ - "!.github/**"
+
+# Declare default permissions as none.
+permissions: {}
+
+jobs:
+ sonatype-lifecycle:
+ name: "Sonatype Lifecycle"
+ # yamllint disable-line rule:line-length
+ uses: lfit/releng-reusable-workflows/.github/workflows/reuse-sonatype-lifecycle.yaml@c418a28fa6ec695a726365dc236aad0fd0aa7e49 # v0.2.6
+ secrets:
+ NEXUS_IQ_PASSWORD: ${{ secrets.NEXUS_IQ_PASSWORD }}
+
+ # Scan results are found at: https://sonarcloud.io/login
+ sonarqube-cloud:
+ name: "SonarQube Cloud"
+ # yamllint disable-line rule:line-length
+ uses: lfit/releng-reusable-workflows/.github/workflows/reuse-sonarqube-cloud.yaml@c418a28fa6ec695a726365dc236aad0fd0aa7e49 # v0.2.6
+ permissions:
+ # Needed to upload the results to code-scanning dashboard.
+ security-events: write
+ # Needed to publish results and get a badge (see publish_results below).
+ id-token: write
+ # Uncomment the permissions below if installing in a private repository.
+ # contents: read
+ # actions: read
+ secrets:
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Code Review / policy / opa-pdp.git / commitdiff