|
1 | | -# This workflow uses actions that are not certified by GitHub. They are provided |
2 | | -# by a third-party and are governed by separate terms of service, privacy |
3 | | -# policy, and support documentation. |
4 | | - |
5 | | -name: Scorecard supply-chain security |
| 1 | +name: Scorecard analysis workflow |
6 | 2 | on: |
7 | | - # For Branch-Protection check. Only the default branch is supported. See |
8 | | - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
9 | | - branch_protection_rule: |
10 | | - # To guarantee Maintained check is occasionally updated. See |
11 | | - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
12 | | - schedule: |
13 | | - - cron: '20 7 * * 2' |
14 | 3 | push: |
15 | | - branches: ["main"] |
| 4 | + # Only the default branch is supported. |
| 5 | + branches: |
| 6 | + - main |
| 7 | + schedule: |
| 8 | + # Weekly on Saturdays. |
| 9 | + - cron: '30 1 * * 6' |
16 | 10 |
|
17 | | -# Declare default permissions as read only. |
18 | 11 | permissions: read-all |
19 | 12 |
|
20 | 13 | jobs: |
21 | 14 | analysis: |
22 | 15 | name: Scorecard analysis |
23 | 16 | runs-on: ubuntu-latest |
24 | 17 | permissions: |
25 | | - # Needed to upload the results to code-scanning dashboard. |
| 18 | + # Needed for Code scanning upload |
26 | 19 | security-events: write |
27 | | - # Needed to publish results and get a badge (see publish_results below). |
| 20 | + # Needed for GitHub OIDC token if publish_results is true |
28 | 21 | id-token: write |
29 | | - contents: read |
30 | | - actions: read |
31 | 22 |
|
32 | 23 | steps: |
33 | | - - name: Harden Runner |
34 | | - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 |
35 | | - with: |
36 | | - egress-policy: audit |
37 | | - |
38 | 24 | - name: "Checkout code" |
39 | | - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 |
| 25 | + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 |
40 | 26 | with: |
41 | 27 | persist-credentials: false |
42 | 28 |
|
43 | 29 | - name: "Run analysis" |
44 | | - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 |
| 30 | + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 |
45 | 31 | with: |
46 | 32 | results_file: results.sarif |
47 | 33 | results_format: sarif |
48 | | - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: |
49 | | - # - you want to enable the Branch-Protection check on a *public* repository, or |
50 | | - # - you are installing Scorecards on a *private* repository |
51 | | - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. |
52 | | - # repo_token: ${{ secrets.SCORECARD_TOKEN }} |
53 | | - |
54 | | - # Public repositories: |
55 | | - # - Publish results to OpenSSF REST API for easy access by consumers |
56 | | - # - Allows the repository to include the Scorecard badge. |
57 | | - # - See https://github.com/ossf/scorecard-action#publishing-results. |
58 | | - # For private repositories: |
59 | | - # - `publish_results` will always be set to `false`, regardless |
60 | | - # of the value entered here. |
| 34 | + # Scorecard team runs a weekly scan of public GitHub repos, |
| 35 | + # see https://github.com/ossf/scorecard#public-data. |
| 36 | + # Setting `publish_results: true` helps us scale by leveraging your workflow to |
| 37 | + # extract the results instead of relying on our own infrastructure to run scans. |
| 38 | + # And it's free for you! |
61 | 39 | publish_results: true |
62 | 40 |
|
63 | | - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF |
64 | | - # format to the repository Actions tab. |
| 41 | + # Upload the results as artifacts (optional). Commenting out will disable |
| 42 | + # uploads of run results in SARIF format to the repository Actions tab. |
| 43 | + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts |
65 | 44 | - name: "Upload artifact" |
66 | | - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 |
| 45 | + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 |
67 | 46 | with: |
68 | 47 | name: SARIF file |
69 | 48 | path: results.sarif |
70 | 49 | retention-days: 5 |
71 | 50 |
|
72 | | - # Upload the results to GitHub's code scanning dashboard. |
| 51 | + # Upload the results to GitHub's code scanning dashboard (optional). |
| 52 | + # Commenting out will disable upload of results to your repo's Code Scanning dashboard |
73 | 53 | - name: "Upload to code-scanning" |
74 | | - uses: github/codeql-action/upload-sarif@162eb1e32abe518e88bd229ebc8784a533ceaa51 # v2.25.6 |
| 54 | + uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 |
75 | 55 | with: |
76 | 56 | sarif_file: results.sarif |
0 commit comments