1 # This workflow uses actions that are not certified by GitHub. They are provided
2 # by a third-party and are governed by separate terms of service, privacy
3 # policy, and support documentation.
5 name: Scorecard supply-chain security
8 # For Branch-Protection check. Only the default branch is supported. See
9 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
10 branch_protection_rule:
11 # To guarantee Maintained check is occasionally updated. See
12 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
16 # Declare default permissions as read only.
21 name: Scorecard analysis
22 runs-on: ubuntu-latest
24 # Needed to upload the results to code-scanning dashboard.
25 security-events: write
26 # Needed to publish results and get a badge (see publish_results below).
28 # Uncomment the permissions below if installing in a private repository.
33 - name: "Checkout code"
34 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
36 persist-credentials: false
38 - name: "Run analysis"
39 uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
41 results_file: results.sarif
43 # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
44 # - you want to enable the Branch-Protection check on a *public* repository, or
45 # - you are installing Scorecard on a *private* repository
46 # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
47 # repo_token: ${{ secrets.SCORECARD_TOKEN }}
49 # Public repositories:
50 # - Publish results to OpenSSF REST API for easy access by consumers
51 # - Allows the repository to include the Scorecard badge.
52 # - See https://github.com/ossf/scorecard-action#publishing-results.
53 # For private repositories:
54 # - `publish_results` will always be set to `false`, regardless
55 # of the value entered here.
58 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
59 # format to the repository Actions tab.
60 - name: "Upload artifact"
61 uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
67 # Upload the results to GitHub's code scanning dashboard (optional).
68 # Commenting out will disable upload of results to your repo's Code Scanning dashboard
69 - name: "Upload to code-scanning"
70 uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
72 sarif_file: results.sarif