...

Text file src/sigs.k8s.io/controller-runtime/.github/workflows/ossf-scorecard.yaml

Documentation: sigs.k8s.io/controller-runtime/.github/workflows

     1name: Scorecard supply-chain security
     2on:
     3  # For Branch-Protection check. Only the default branch is supported. See
     4  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
     5  branch_protection_rule:
     6  # To guarantee Maintained check is occasionally updated. See
     7  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
     8  schedule:
     9    # Weekly on Saturdays.
    10    - cron: '30 1 * * 6'
    11  push:
    12    branches: [ "main" ]
    13
    14# Declare default permissions as read only.
    15permissions: read-all
    16
    17jobs:
    18  analysis:
    19    name: Scorecard analysis
    20    runs-on: ubuntu-latest
    21    permissions:
    22      # Needed if using Code scanning alerts
    23      security-events: write
    24      # Needed for GitHub OIDC token if publish_results is true
    25      id-token: write
    26
    27    steps:
    28      - name: "Checkout code"
    29        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
    30        with:
    31          persist-credentials: false
    32
    33      - name: "Run analysis"
    34        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1
    35        with:
    36          results_file: results.sarif
    37          results_format: sarif
    38          # Public repositories:
    39          #   - Publish results to OpenSSF REST API for easy access by consumers
    40          #   - Allows the repository to include the Scorecard badge.
    41          #   - See https://github.com/ossf/scorecard-action#publishing-results.
    42          publish_results: true
    43
    44      # Upload the results as artifacts.
    45      - name: "Upload artifact"
    46        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # tag=v4.3.3
    47        with:
    48          name: SARIF file
    49          path: results.sarif
    50          retention-days: 5
    51
    52      # required for Code scanning alerts
    53      - name: "Upload to code-scanning"
    54        uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # tag=v2.16.4
    55        with:
    56          sarif_file: results.sarif

View as plain text