44
55name : Scorecards supply-chain security
66on :
7- # For Branch-Protection check. Only the default branch is supported. See
8- # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
9- branch_protection_rule :
107 # To guarantee Maintained check is occasionally updated. See
118 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
129 schedule :
1310 - cron : ' 25 15 * * 3'
1411 push :
15- branches : [ "main" ]
16- pull_request :
1712 branches :
1813 - main
1914
@@ -36,12 +31,12 @@ jobs:
3631
3732 steps :
3833 - name : " Checkout code"
39- uses : actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3 .1.0
34+ uses : actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 .1.6
4035 with :
4136 persist-credentials : false
4237
4338 - name : " Run analysis"
44- uses : ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
39+ uses : ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
4540 with :
4641 results_file : results.sarif
4742 results_format : sarif
@@ -63,14 +58,14 @@ jobs:
6358 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
6459 # format to the repository Actions tab.
6560 - name : " Upload artifact"
66- uses : actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
61+ uses : actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
6762 with :
6863 name : SARIF file
6964 path : results.sarif
7065 retention-days : 5
7166
7267 # Upload the results to GitHub's code scanning dashboard.
7368 - name : " Upload to code-scanning"
74- uses : github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
69+ uses : github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
7570 with :
7671 sarif_file : results.sarif
0 commit comments