]>
Commit | Line | Data |
---|---|---|
935cb3c6 PKKN |
1 | # This workflow uses actions that are not certified by GitHub. They are provided |
2 | # by a third-party and are governed by separate terms of service, privacy | |
3 | # policy, and support documentation. | |
4 | ||
5 | name: Scorecard supply-chain security | |
6 | on: | |
7 | # For Branch-Protection check. Only the default branch is supported. See | |
8 | # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | |
9 | branch_protection_rule: | |
10 | # To guarantee Maintained check is occasionally updated. See | |
11 | # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | |
12 | schedule: | |
13 | - cron: '42 8 * * 0' | |
14 | push: | |
15 | branches: [ "master" ] | |
16 | ||
17 | # Declare default permissions as read only. | |
18 | permissions: read-all | |
19 | ||
20 | jobs: | |
21 | analysis: | |
22 | name: Scorecard analysis | |
23 | runs-on: ubuntu-latest | |
24 | permissions: | |
25 | # Needed to upload the results to code-scanning dashboard. | |
26 | security-events: write | |
27 | # Needed to publish results and get a badge (see publish_results below). | |
28 | id-token: write | |
29 | ||
30 | steps: | |
31 | - name: "Checkout code" | |
b00e916e | 32 | uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 |
935cb3c6 PKKN |
33 | with: |
34 | persist-credentials: false | |
35 | ||
36 | - name: "Run analysis" | |
c4ccb506 | 37 | uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 |
935cb3c6 PKKN |
38 | with: |
39 | results_file: results.sarif | |
40 | results_format: sarif | |
41 | # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: | |
42 | # you want to enable the Branch-Protection check on a *public* repository | |
43 | # To create the PAT, follow the steps in | |
44 | # https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional | |
45 | # repo_token: ${{ secrets.SCORECARD_TOKEN }} | |
46 | ||
47 | # - Publish results to OpenSSF REST API for easy access by consumers | |
48 | # - Allows the repository to include the Scorecard badge. | |
49 | # - See https://github.com/ossf/scorecard-action#publishing-results. | |
50 | publish_results: true | |
51 | ||
52 | # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | |
53 | # format to the repository Actions tab. | |
54 | - name: "Upload artifact" | |
e6d2ce1c | 55 | uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 |
935cb3c6 PKKN |
56 | with: |
57 | name: SARIF file | |
58 | path: results.sarif | |
59 | retention-days: 5 | |
60 | ||
61 | # Upload the results to GitHub's code scanning dashboard. | |
62 | - name: "Upload to code-scanning" | |
b00e916e | 63 | uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 |
935cb3c6 PKKN |
64 | with: |
65 | sarif_file: results.sarif |