Skip to content

Commit 354a412

Browse files
authored
Add Scorecard GitHub Action
1 parent fc91a61 commit 354a412

File tree

1 file changed

+60
-0
lines changed

1 file changed

+60
-0
lines changed

.github/workflows/scorecard.yml

+60
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
name: Scorecard supply-chain security
2+
on:
3+
# For Branch-Protection check. Only the default branch is supported. See
4+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
5+
branch_protection_rule:
6+
# To guarantee Maintained check is occasionally updated. See
7+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
8+
schedule:
9+
- cron: '37 3 * * 4'
10+
push:
11+
branches: [ "master" ]
12+
13+
# Declare default permissions as read only.
14+
permissions: read-all
15+
16+
jobs:
17+
analysis:
18+
name: Scorecard analysis
19+
runs-on: ubuntu-latest
20+
permissions:
21+
# Needed to upload the results to code-scanning dashboard.
22+
security-events: write
23+
# Needed to publish results and get a badge (see publish_results below).
24+
id-token: write
25+
26+
steps:
27+
- name: "Checkout code"
28+
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
29+
with:
30+
persist-credentials: false
31+
32+
- name: "Run analysis"
33+
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
34+
with:
35+
results_file: results.sarif
36+
results_format: sarif
37+
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
38+
# - you want to enable the Branch-Protection check without using the new GitHub Repos(which are public by default): https://github.blog/2023-07-24-github-repository-rules-are-now-generally-available/
39+
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
40+
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
41+
42+
# - Publish results to OpenSSF REST API for easy access by consumers
43+
# - Allows the repository to include the Scorecard badge.
44+
# - See https://github.com/ossf/scorecard-action#publishing-results.
45+
publish_results: true
46+
47+
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
48+
# format to the repository Actions tab.
49+
- name: "Upload artifact"
50+
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
51+
with:
52+
name: SARIF file
53+
path: results.sarif
54+
retention-days: 5
55+
56+
# Upload the results to GitHub's code scanning dashboard.
57+
- name: "Upload to code-scanning"
58+
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
59+
with:
60+
sarif_file: results.sarif

0 commit comments

Comments
 (0)