...
1name: Scorecard supply-chain security
2on:
3 # For Branch-Protection check. Only the default branch is supported. See
4 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
5 branch_protection_rule:
6 # To guarantee Maintained check is occasionally updated. See
7 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
8 schedule:
9 # Weekly on Saturdays.
10 - cron: '30 1 * * 6'
11 push:
12 branches: [ "main" ]
13
14# Declare default permissions as read only.
15permissions: read-all
16
17jobs:
18 analysis:
19 name: Scorecard analysis
20 runs-on: ubuntu-latest
21 permissions:
22 # Needed if using Code scanning alerts
23 security-events: write
24 # Needed for GitHub OIDC token if publish_results is true
25 id-token: write
26
27 steps:
28 - name: "Checkout code"
29 uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
30 with:
31 persist-credentials: false
32
33 - name: "Run analysis"
34 uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1
35 with:
36 results_file: results.sarif
37 results_format: sarif
38 # Public repositories:
39 # - Publish results to OpenSSF REST API for easy access by consumers
40 # - Allows the repository to include the Scorecard badge.
41 # - See https://github.com/ossf/scorecard-action#publishing-results.
42 publish_results: true
43
44 # Upload the results as artifacts.
45 - name: "Upload artifact"
46 uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # tag=v4.3.3
47 with:
48 name: SARIF file
49 path: results.sarif
50 retention-days: 5
51
52 # required for Code scanning alerts
53 - name: "Upload to code-scanning"
54 uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # tag=v2.16.4
55 with:
56 sarif_file: results.sarif
View as plain text