[thirdparty/libarchive.git] / .github / workflows / scorecard.yml

# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '42 8 * * 0'
  push:
    branches: [ "master" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Needed to publish results and get a badge (see publish_results below).
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
          # you want to enable the Branch-Protection check on a *public* repository
          # To create the PAT, follow the steps in
          # https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional
          # repo_token: ${{ secrets.SCORECARD_TOKEN }}

          # - Publish results to OpenSSF REST API for easy access by consumers
          # - Allows the repository to include the Scorecard badge.
          # - See https://github.com/ossf/scorecard-action#publishing-results.
          publish_results: true

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
        with:
          sarif_file: results.sarif
Commit	Line	Data
935cb3c6 PKKN	1	# This workflow uses actions that are not certified by GitHub. They are provided
	2	# by a third-party and are governed by separate terms of service, privacy
	3	# policy, and support documentation.
	4
	5	name: Scorecard supply-chain security
	6	on:
	7	# For Branch-Protection check. Only the default branch is supported. See
	8	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
	9	branch_protection_rule:
	10	# To guarantee Maintained check is occasionally updated. See
	11	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
	12	schedule:
	13	- cron: '42 8 * * 0'
	14	push:
	15	branches: [ "master" ]
	16
	17	# Declare default permissions as read only.
	18	permissions: read-all
	19
	20	jobs:
	21	analysis:
	22	name: Scorecard analysis
	23	runs-on: ubuntu-latest
	24	permissions:
	25	# Needed to upload the results to code-scanning dashboard.
	26	security-events: write
	27	# Needed to publish results and get a badge (see publish_results below).
	28	id-token: write
	29
	30	steps:
	31	- name: "Checkout code"
b00e916e	32	uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
935cb3c6 PKKN	33	with:
	34	persist-credentials: false
	35
	36	- name: "Run analysis"
c4ccb506	37	uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
935cb3c6 PKKN	38	with:
	39	results_file: results.sarif
	40	results_format: sarif
	41	# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
	42	# you want to enable the Branch-Protection check on a public repository
	43	# To create the PAT, follow the steps in
	44	# https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional
	45	# repo_token: ${{ secrets.SCORECARD_TOKEN }}
	46
	47	# - Publish results to OpenSSF REST API for easy access by consumers
	48	# - Allows the repository to include the Scorecard badge.
	49	# - See https://github.com/ossf/scorecard-action#publishing-results.
	50	publish_results: true
	51
	52	# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
	53	# format to the repository Actions tab.
	54	- name: "Upload artifact"
e6d2ce1c	55	uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
935cb3c6 PKKN	56	with:
	57	name: SARIF file
	58	path: results.sarif
	59	retention-days: 5
	60
	61	# Upload the results to GitHub's code scanning dashboard.
	62	- name: "Upload to code-scanning"
b00e916e	63	uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
935cb3c6 PKKN	64	with:
935cb3c6 PKKN	65	sarif_file: results.sarif