github.com/google/trillian-examples@v0.0.0-20240520080811-0d40d35cef0e/.github/workflows/scorecard.yml

github.com/google/trillian-examples@v0.0.0-20240520080811-0d40d35cef0e/.github/workflows/scorecard.yml (about)

     1  # This workflow uses actions that are not certified by GitHub. They are provided
     2  # by a third-party and are governed by separate terms of service, privacy
     3  # policy, and support documentation.
     4  
     5  name: Scorecard supply-chain security
     6  on:
     7    # For Branch-Protection check. Only the default branch is supported. See
     8    # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
     9    branch_protection_rule:
    10    # To guarantee Maintained check is occasionally updated. See
    11    # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
    12    schedule:
    13      - cron: '20 0 * * 0'
    14    push:
    15      branches: [ "master" ]
    16  
    17  # Declare default permissions as read only.
    18  permissions: read-all
    19  
    20  jobs:
    21    analysis:
    22      name: Scorecard analysis
    23      runs-on: ubuntu-latest
    24      permissions:
    25        # Needed to upload the results to code-scanning dashboard.
    26        security-events: write
    27        # Needed to publish results and get a badge (see publish_results below).
    28        id-token: write
    29  
    30      steps:
    31        - name: "Checkout code"
    32          uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
    33          with:
    34            persist-credentials: false
    35  
    36        - name: "Run analysis"
    37          uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
    38          with:
    39            results_file: results.sarif
    40            results_format: sarif
    41            # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
    42            # - you want to enable the Branch-Protection check on a *public* repository, or
    43            # - you are installing Scorecard on a *private* repository
    44            # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
    45            # repo_token: ${{ secrets.SCORECARD_TOKEN }}
    46  
    47            # Public repositories:
    48            #   - Publish results to OpenSSF REST API for easy access by consumers
    49            #   - Allows the repository to include the Scorecard badge.
    50            #   - See https://github.com/ossf/scorecard-action#publishing-results.
    51            publish_results: true
    52  
    53        # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
    54        # format to the repository Actions tab.
    55        - name: "Upload artifact"
    56          uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
    57          with:
    58            name: SARIF file
    59            path: results.sarif
    60            retention-days: 5
    61  
    62        # Upload the results to GitHub's code scanning dashboard.
    63        - name: "Upload to code-scanning"
    64          uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
    65          with:
    66            sarif_file: results.sarif