1name: Scorecards supply-chain security
2on:
3 # Only the default branch is supported.
4 branch_protection_rule:
5 schedule:
6 - cron: '21 2 * * 5'
7 push:
8 branches: [ master ]
9
10# Declare default permissions as read only.
11permissions: read-all
12
13jobs:
14 analysis:
15 name: Scorecards analysis
16 runs-on: ubuntu-latest
17 permissions:
18 # Needed to upload the results to code-scanning dashboard.
19 security-events: write
20 actions: read
21 contents: read
22
23 steps:
24 - name: "Checkout code"
25 uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
26 with:
27 persist-credentials: false
28
29 - name: "Run analysis"
30 uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 # v1.1.2
31 with:
32 results_file: results.sarif
33 results_format: sarif
34 # Read-only PAT token. To create it,
35 # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
36 repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
37 # Publish the results to enable scorecard badges. For more details, see
38 # https://github.com/ossf/scorecard-action#publishing-results.
39 # For private repositories, `publish_results` will automatically be set to `false`,
40 # regardless of the value entered here.
41 publish_results: true
42
43 # Upload the results as artifacts (optional).
44 - name: "Upload artifact"
45 uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
46 with:
47 name: SARIF file
48 path: results.sarif
49 retention-days: 5
50
51 # Upload the results to GitHub's code scanning dashboard.
52 - name: "Upload to code-scanning"
53 uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
54 with:
55 sarif_file: results.sarif
View as plain text