-
Notifications
You must be signed in to change notification settings - Fork 824
49 lines (43 loc) · 1.87 KB
/
Copy pathscorecards.yaml
File metadata and controls
49 lines (43 loc) · 1.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: Scorecards
on:
# tag-only push trigger (not branches) so that OIDC token minting is bounded to release events,
# which is a more controlled action than a branch merge. The weekly cron keeps the badge fresh
# between releases, and workflow_dispatch allows manual runs.
push:
tags: ["v*"]
schedule:
- cron: "0 0 * * 1" # weekly on Monday
workflow_dispatch:
permissions: {}
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
# gates OIDC token minting behind a GitHub deployment environment with protection rules.
# The environment's deployment branch/tag policy MUST include tag pattern "v*" to match the
# push trigger above, otherwise tag-triggered runs will be blocked from starting.
environment: scorecard
permissions:
contents: read
security-events: write # upload results to code-scanning dashboard
id-token: write # receive a badge
steps:
- name: "Checkout code"
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
sarif_file: results.sarif