.github/workflows/scorecard.yml

   1 # This workflow uses actions that are not certified by GitHub. They are provided
   2 # by a third-party and are governed by separate terms of service, privacy
   3 # policy, and support documentation.
   4
   5 name: Scorecard supply-chain security
   6 on:
   7   workflow_dispatch:
   8   # For Branch-Protection check. Only the default branch is supported. See
   9   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  10   branch_protection_rule:
  11   # To guarantee Maintained check is occasionally updated. See
  12   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  13   schedule:
  14     - cron: '33 6 * * 0'
  15
  16 # Declare default permissions as read only.
  17 permissions: read-all
  18
  19 jobs:
  20   analysis:
  21     name: Scorecard analysis
  22     runs-on: ubuntu-latest
  23     permissions:
  24       # Needed to upload the results to code-scanning dashboard.
  25       security-events: write
  26       # Needed to publish results and get a badge (see publish_results below).
  27       id-token: write
  28       # Uncomment the permissions below if installing in a private repository.
  29       # contents: read
  30       # actions: read
  31
  32     steps:
  33       - name: "Checkout code"
  34         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  35         with:
  36           persist-credentials: false
  37
  38       - name: "Run analysis"
  39         uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
  40         with:
  41           results_file: results.sarif
  42           results_format: sarif
  43           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
  44           # - you want to enable the Branch-Protection check on a *public* repository, or
  45           # - you are installing Scorecard on a *private* repository
  46           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
  47           # repo_token: ${{ secrets.SCORECARD_TOKEN }}
  48
  49           # Public repositories:
  50           #   - Publish results to OpenSSF REST API for easy access by consumers
  51           #   - Allows the repository to include the Scorecard badge.
  52           #   - See https://github.com/ossf/scorecard-action#publishing-results.
  53           # For private repositories:
  54           #   - `publish_results` will always be set to `false`, regardless
  55           #     of the value entered here.
  56           publish_results: true
  57
  58       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  59       # format to the repository Actions tab.
  60       - name: "Upload artifact"
  61         uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
  62         with:
  63           name: SARIF file
  64           path: results.sarif
  65           retention-days: 5
  66
  67       # Upload the results to GitHub's code scanning dashboard (optional).
  68       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
  69       - name: "Upload to code-scanning"
  70         uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
  71         with:
  72           sarif_file: results.sarif