Skip to content

Commit f218bf8

Browse files
ci: Add OSSF Scorecard action
This gives use a quick overview of our security.
1 parent 5dfefea commit f218bf8

File tree

1 file changed

+58
-0
lines changed

1 file changed

+58
-0
lines changed

.github/workflows/scorecard.yml

+58
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
name: Scorecard supply-chain security
2+
on:
3+
# For Branch-Protection check. Only the default branch is supported. See
4+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
5+
branch_protection_rule:
6+
# To guarantee Maintained check is occasionally updated. See
7+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
8+
schedule:
9+
- cron: '30 4 * * 0'
10+
push:
11+
branches:
12+
- gardena/rs/upstream/run-openssf-score-card
13+
- main
14+
15+
permissions: read-all
16+
17+
jobs:
18+
analysis:
19+
name: Scorecard analysis
20+
runs-on: ubuntu-latest
21+
permissions:
22+
# Needed to upload the results to code-scanning dashboard.
23+
security-events: write
24+
# Needed to publish results and get a badge (see publish_results below).
25+
id-token: write
26+
27+
steps:
28+
- name: "Checkout code"
29+
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
30+
with:
31+
persist-credentials: false
32+
33+
- name: "Run analysis"
34+
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
35+
with:
36+
results_file: results.sarif
37+
results_format: sarif
38+
# - Publish results to OpenSSF REST API for easy access by consumers
39+
# - Allows the repository to include the Scorecard badge.
40+
# - See https://github.com/ossf/scorecard-action#publishing-results.
41+
publish_results: true
42+
43+
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
44+
# format to the repository Actions tab.
45+
- name: "Upload artifact"
46+
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
47+
with:
48+
name: SARIF file
49+
path: results.sarif
50+
retention-days: 5
51+
52+
# Upload the results to GitHub's code scanning dashboard (optional).
53+
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
54+
- name: "Upload to code-scanning"
55+
uses: github/codeql-action/upload-sarif@v3
56+
with:
57+
sarif_file: results.sarif
58+

0 commit comments

Comments
 (0)