Skip to content

chore(deps): update anchore dependencies (#3498) #78

chore(deps): update anchore dependencies (#3498)

chore(deps): update anchore dependencies (#3498) #78

Workflow file for this run

name: Scorecards
on:
# tag-only push trigger (not branches) so that OIDC token minting is bounded to release events,
# which is a more controlled action than a branch merge. The weekly cron keeps the badge fresh
# between releases, and workflow_dispatch allows manual runs.
push:
tags: ["v*"]
schedule:
- cron: "0 0 * * 1" # weekly on Monday
workflow_dispatch:
permissions: {}
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
# gates OIDC token minting behind a GitHub deployment environment with protection rules.
# The environment's deployment branch/tag policy MUST include tag pattern "v*" to match the
# push trigger above, otherwise tag-triggered runs will be blocked from starting.
environment: scorecard
permissions:
contents: read
security-events: write # upload results to code-scanning dashboard
id-token: write # receive a badge
steps:
- name: "Checkout code"
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: results.sarif