sigs.k8s.io/cluster-api-provider-azure@v1.14.3/.github/workflows/scorecards.yml

sigs.k8s.io/cluster-api-provider-azure@v1.14.3/.github/workflows/scorecards.yml (about)

     1  # This workflow uses actions that are not certified by GitHub. They are provided
     2  # by a third-party and are governed by separate terms of service, privacy
     3  # policy, and support documentation.
     4  
     5  name: Scorecard supply-chain security
     6  on:
     7    # For Branch-Protection check. Only the default branch is supported. See
     8    # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
     9    branch_protection_rule:
    10    # To guarantee Maintained check is occasionally updated. See
    11    # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
    12    schedule:
    13      - cron: '20 7 * * 2'
    14    push:
    15      branches: ["main"]
    16  
    17  # Declare default permissions as read only.
    18  permissions: read-all
    19  
    20  jobs:
    21    analysis:
    22      name: Scorecard analysis
    23      runs-on: ubuntu-latest
    24      permissions:
    25        # Needed to upload the results to code-scanning dashboard.
    26        security-events: write
    27        # Needed to publish results and get a badge (see publish_results below).
    28        id-token: write
    29        contents: read
    30        actions: read
    31  
    32      steps:
    33        - name: Harden Runner
    34          uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
    35          with:
    36            egress-policy: audit
    37  
    38        - name: "Checkout code"
    39          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    40          with:
    41            persist-credentials: false
    42  
    43        - name: "Run analysis"
    44          uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
    45          with:
    46            results_file: results.sarif
    47            results_format: sarif
    48            # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
    49            # - you want to enable the Branch-Protection check on a *public* repository, or
    50            # - you are installing Scorecards on a *private* repository
    51            # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
    52            # repo_token: ${{ secrets.SCORECARD_TOKEN }}
    53  
    54            # Public repositories:
    55            #   - Publish results to OpenSSF REST API for easy access by consumers
    56            #   - Allows the repository to include the Scorecard badge.
    57            #   - See https://github.com/ossf/scorecard-action#publishing-results.
    58            # For private repositories:
    59            #   - `publish_results` will always be set to `false`, regardless
    60            #     of the value entered here.
    61            publish_results: true
    62  
    63        # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
    64        # format to the repository Actions tab.
    65        - name: "Upload artifact"
    66          uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
    67          with:
    68            name: SARIF file
    69            path: results.sarif
    70            retention-days: 5
    71  
    72        # Upload the results to GitHub's code scanning dashboard.
    73        - name: "Upload to code-scanning"
    74          uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
    75          with:
    76            sarif_file: results.sarif