Skip to content

Commit 5419cbc

Browse files
committed
Update OSSF scorecard workflow permissions
1 parent 32b19aa commit 5419cbc

File tree

2 files changed

+46
-67
lines changed

2 files changed

+46
-67
lines changed

.github/workflows/ossf-scorecard.yml

+46
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
name: OSSF Scorecard
2+
3+
on:
4+
push:
5+
branches:
6+
- main
7+
schedule:
8+
- cron: "43 6 * * 5" # weekly at 06:43 (UTC) on Friday
9+
10+
permissions: read-all
11+
12+
jobs:
13+
analysis:
14+
runs-on: ubuntu-latest
15+
permissions:
16+
# Needed for Code scanning upload
17+
security-events: write
18+
# Needed for GitHub OIDC token if publish_results is true
19+
id-token: write
20+
steps:
21+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
22+
with:
23+
persist-credentials: false
24+
25+
- uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
26+
with:
27+
results_file: results.sarif
28+
results_format: sarif
29+
publish_results: true
30+
31+
# Upload the results as artifacts (optional). Commenting out will disable
32+
# uploads of run results in SARIF format to the repository Actions tab.
33+
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
34+
- name: "Upload artifact"
35+
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
36+
with:
37+
name: SARIF file
38+
path: results.sarif
39+
retention-days: 5
40+
41+
# Upload the results to GitHub's code scanning dashboard (optional).
42+
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
43+
- name: "Upload to code-scanning"
44+
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
45+
with:
46+
sarif_file: results.sarif

.github/workflows/scorecard.yml

-67
This file was deleted.

0 commit comments

Comments
 (0)