github.com/go-swagger/go-swagger@v0.31.0/.github/workflows/scorecard.yaml (about) 1 name: Scorecard supply-chain security 2 3 on: 4 # For Branch-Protection check. Only the default branch is supported. See 5 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection 6 branch_protection_rule: 7 # To guarantee Maintained check is occasionally updated. See 8 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained 9 schedule: 10 - cron: '44 2 * * 1' 11 push: 12 branches: [ "master" ] 13 14 permissions: read-all 15 16 jobs: 17 analysis: 18 name: Scorecard analysis 19 runs-on: ubuntu-latest 20 permissions: 21 # Needed to upload the results to code-scanning dashboard. 22 security-events: write 23 # Needed to publish results and get a badge (see publish_results below). 24 id-token: write 25 # Uncomment the permissions below if installing in a private repository. 26 # contents: read 27 # actions: read 28 29 steps: 30 - name: "Checkout code" 31 uses: actions/checkout@v4 32 with: 33 persist-credentials: false 34 35 - name: "Run analysis" 36 uses: ossf/scorecard-action@v2.3.1 37 with: 38 results_file: results.sarif 39 results_format: sarif 40 publish_results: true 41 42 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF 43 # format to the repository Actions tab. 44 - name: "Upload artifact" 45 uses: actions/upload-artifact@v3 46 with: 47 name: SARIF file 48 path: results.sarif 49 retention-days: 5 50 51 # Upload the results to GitHub's code scanning dashboard. 52 - name: "Upload to code-scanning" 53 uses: github/codeql-action/upload-sarif@v3 54 with: 55 sarif_file: results.sarif