1name: Scorecards supply-chain security
2on:
3 # Only the default branch is supported.
4 branch_protection_rule:
5 schedule:
6 # Weekly on Saturdays.
7 - cron: '30 1 * * 6'
8 push:
9 branches:
10 - main
11 - 'release-**'
12
13# Declare default permissions as none.
14permissions: {}
15
16jobs:
17 analysis:
18 name: Scorecard analysis
19 permissions:
20 # Needed to upload the results to code-scanning dashboard.
21 security-events: write
22 # Needed to publish results and get a badge (see publish_results below).
23 id-token: write
24 uses: sigstore/community/.github/workflows/reusable-scorecard.yml@main
25 # (Optional) Disable publish results:
26 # with:
27 # publish_results: false
28
29 # (Optional) Enable Branch-Protection check:
30 secrets:
31 scorecard_token: ${{ secrets.SCORECARD_TOKEN }}
View as plain text