github.com/transparency-dev/armored-witness-boot@v0.1.0/.github/workflows/scorecard.yml

github.com/transparency-dev/armored-witness-boot@v0.1.0/.github/workflows/scorecard.yml (about)

     1  # This workflow uses actions that are not certified by GitHub. They are provided
     2  # by a third-party and are governed by separate terms of service, privacy
     3  # policy, and support documentation.
     4  
     5  name: Scorecard supply-chain security
     6  on:
     7    # For Branch-Protection check. Only the default branch is supported. See
     8    # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
     9    branch_protection_rule:
    10    # To guarantee Maintained check is occasionally updated. See
    11    # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
    12    schedule:
    13      - cron: '44 0 * * 2'
    14    push:
    15      branches: [ "main" ]
    16  
    17  # Declare default permissions as read only.
    18  permissions: read-all
    19  
    20  jobs:
    21    analysis:
    22      name: Scorecard analysis
    23      runs-on: ubuntu-latest
    24      permissions:
    25        # Needed to upload the results to code-scanning dashboard.
    26        security-events: write
    27        # Needed to publish results and get a badge (see publish_results below).
    28        id-token: write
    29        # Uncomment the permissions below if installing in a private repository.
    30        # contents: read
    31        # actions: read
    32  
    33      steps:
    34        - name: "Checkout code"
    35          uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
    36          with:
    37            persist-credentials: false
    38  
    39        - name: "Run analysis"
    40          uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
    41          with:
    42            results_file: results.sarif
    43            results_format: sarif
    44            # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
    45            # - you want to enable the Branch-Protection check on a *public* repository, or
    46            # - you are installing Scorecard on a *private* repository
    47            # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
    48            # repo_token: ${{ secrets.SCORECARD_TOKEN }}
    49  
    50            # Public repositories:
    51            #   - Publish results to OpenSSF REST API for easy access by consumers
    52            #   - Allows the repository to include the Scorecard badge.
    53            #   - See https://github.com/ossf/scorecard-action#publishing-results.
    54            # For private repositories:
    55            #   - `publish_results` will always be set to `false`, regardless
    56            #     of the value entered here.
    57            publish_results: true
    58  
    59        # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
    60        # format to the repository Actions tab.
    61        - name: "Upload artifact"
    62          uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
    63          with:
    64            name: SARIF file
    65            path: results.sarif
    66            retention-days: 5
    67  
    68        # Upload the results to GitHub's code scanning dashboard.
    69        - name: "Upload to code-scanning"
    70          uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
    71          with:
    72            sarif_file: results.sarif