OpenSSF Scorecard #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OpenSSF Scorecard | |
| # Runs the OpenSSF Scorecard against this repo and uploads results to the | |
| # GitHub Security tab + the public OpenSSF scorecard API. | |
| # | |
| # Standard workflow from https://github.com/ossf/scorecard-action | |
| on: | |
| branch_protection_rule: | |
| schedule: | |
| # Tuesdays 06:00 UTC | |
| - cron: "0 6 * * 2" | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| permissions: read-all | |
| jobs: | |
| analysis: | |
| name: Scorecard analysis | |
| # Scorecard needs public-repo APIs (full commit history access, public | |
| # results publication). While the repo is private this run errors with | |
| # "Resource not accessible by integration". Gate on visibility so the | |
| # workflow activates automatically when the repo flips public. | |
| if: ${{ github.event.repository.visibility == 'public' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run analysis | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| retention-days: 5 | |
| - name: Upload to code-scanning | |
| uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 | |
| with: | |
| sarif_file: results.sarif |