...

Text file src/github.com/sigstore/rekor/.github/workflows/scorecard_action.yml

Documentation: github.com/sigstore/rekor/.github/workflows

     1name: Scorecards supply-chain security
     2on:
     3  # Only the default branch is supported.
     4  branch_protection_rule:
     5  schedule:
     6    # Weekly on Saturdays.
     7    - cron: '30 1 * * 6'
     8  push:
     9    branches:
    10      - main
    11      - 'release-**'
    12
    13# Declare default permissions as none.
    14permissions: {}
    15
    16jobs:
    17  analysis:
    18    name: Scorecard analysis
    19    permissions:
    20      # Needed to upload the results to code-scanning dashboard.
    21      security-events: write
    22      # Needed to publish results and get a badge (see publish_results below).
    23      id-token: write
    24    uses: sigstore/community/.github/workflows/reusable-scorecard.yml@main
    25    # (Optional) Disable publish results:
    26    # with:
    27    #   publish_results: false
    28
    29    # (Optional) Enable Branch-Protection check:
    30    secrets:
    31      scorecard_token: ${{ secrets.SCORECARD_TOKEN }}

View as plain text