github.com/argoproj/argo-cd/v2@v2.10.9/.github/workflows/scorecard.yaml

github.com/argoproj/argo-cd/v2@v2.10.9/.github/workflows/scorecard.yaml (about)

     1  name: Scorecards supply-chain security
     2  on:
     3    # Only the default branch is supported.
     4    branch_protection_rule:
     5    schedule:
     6      - cron: "39 9 * * 2"
     7    push:
     8      branches: ["master"]
     9  
    10  concurrency:
    11    group: ${{ github.workflow }}-${{ github.ref }}
    12    cancel-in-progress: true
    13  
    14  # Declare default permissions as read only.
    15  permissions: read-all
    16  
    17  jobs:
    18    analysis:
    19      name: Scorecards analysis
    20      runs-on: ubuntu-22.04
    21      permissions:
    22        # Needed to upload the results to code-scanning dashboard.
    23        security-events: write
    24        # Used to receive a badge. (Upcoming feature)
    25        id-token: write
    26        # Needs for private repositories.
    27        contents: read
    28        actions: read
    29      if: github.repository == 'argoproj/argo-cd'
    30  
    31      steps:
    32        - name: "Checkout code"
    33          uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
    34          with:
    35            persist-credentials: false
    36  
    37        - name: "Run analysis"
    38          uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
    39          with:
    40            results_file: results.sarif
    41            results_format: sarif
    42            # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
    43            # - you want to enable the Branch-Protection check on a *public* repository, or
    44            # - you are installing Scorecards on a *private* repository
    45            # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
    46            # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
    47  
    48            # Publish the results for public repositories to enable scorecard badges. For more details, see
    49            # https://github.com/ossf/scorecard-action#publishing-results.
    50            # For private repositories, `publish_results` will automatically be set to `false`, regardless
    51            # of the value entered here.
    52            publish_results: true
    53  
    54        # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
    55        # format to the repository Actions tab.
    56        - name: "Upload artifact"
    57          uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
    58          with:
    59            name: SARIF file
    60            path: results.sarif
    61            retention-days: 5
    62  
    63        # Upload the results to GitHub's code scanning dashboard.
    64        - name: "Upload to code-scanning"
    65          uses: github/codeql-action/upload-sarif@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2.2.1
    66          with:
    67            sarif_file: results.sarif