github.com/oam-dev/kubevela@v1.9.11/.github/workflows/scorecards.yml

github.com/oam-dev/kubevela@v1.9.11/.github/workflows/scorecards.yml (about)

     1  name: Scorecards supply-chain security
     2  on:
     3    schedule:
     4      # Weekly on Saturdays.
     5      - cron: '30 1 * * 6'
     6    push:
     7      branches: [ master ]
     8  
     9  # Declare default permissions as read only.
    10  permissions: read-all
    11  
    12  jobs:
    13    analysis:
    14      name: Scorecards analysis
    15      runs-on: ubuntu-22.04
    16      permissions:
    17        # Needed to upload the results to code-scanning dashboard.
    18        security-events: write
    19        # Used to receive a badge. (Upcoming feature)
    20        id-token: write
    21        actions: read
    22        contents: read
    23  
    24      steps:
    25        - name: "Checkout code"
    26          uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
    27          with:
    28            persist-credentials: false
    29  
    30        - name: "Run analysis"
    31          uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1
    32          with:
    33            results_file: results.sarif
    34            results_format: sarif
    35            # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
    36            # - you want to enable the Branch-Protection check on a *public* repository, or
    37            # - you are installing Scorecards on a *private* repository
    38            # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
    39            # repo_token: ${{ secrets.SCORECARD_TOKEN }}
    40  
    41            # Publish the results for public repositories to enable scorecard badges. For more details, see
    42            # https://github.com/ossf/scorecard-action#publishing-results.
    43            # For private repositories, `publish_results` will automatically be set to `false`, regardless
    44            # of the value entered here.
    45            publish_results: true
    46  
    47        # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
    48        # format to the repository Actions tab.
    49        - name: "Upload artifact"
    50          uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
    51          with:
    52            name: SARIF file
    53            path: results.sarif
    54            retention-days: 5
    55  
    56        # Upload the results to GitHub's code scanning dashboard.
    57        - name: "Upload to code-scanning"
    58          uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
    59          with:
    60            sarif_file: results.sarif