11name : Scorecards supply-chain security
2- on :
3- workflow_dispatch :
2+ on :
3+ # Only the default branch is supported.
4+ branch_protection_rule :
5+ schedule :
6+ # Weekly on Saturdays.
7+ - cron : " 30 1 * * 6"
48 push :
5- branches : [ main, master ]
9+ branches : [main, master]
610
711# Declare default permissions as read only.
812permissions : read-all
@@ -14,40 +18,45 @@ jobs:
1418 permissions :
1519 # Needed to upload the results to code-scanning dashboard.
1620 security-events : write
21+ # Used to receive a badge. (Upcoming feature)
22+ id-token : write
1723 actions : read
1824 contents : read
19-
25+
2026 steps :
2127 - name : " Checkout code"
22- uses : actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4 .0
28+ uses : actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0 .0
2329 with :
2430 persist-credentials : false
2531
2632 - name : " Run analysis"
27- uses : ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.0 .1
33+ uses : ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # tag= v1.1 .1
2834 with :
2935 results_file : results.sarif
3036 results_format : sarif
31- # Read-only PAT token. To create it,
32- # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
33- repo_token : ${{ secrets.GITHUB_TOKEN }}
37+ # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
38+ # - you want to enable the Branch-Protection check on a *public* repository, or
39+ # - you are installing Scorecards on a *private* repository
40+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
41+ # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
42+
3443 # Publish the results for public repositories to enable scorecard badges. For more details, see
35- # https://github.com/ossf/scorecard-action#publishing-results.
36- # For private repositories, `publish_results` will automatically be set to `false`, regardless
44+ # https://github.com/ossf/scorecard-action#publishing-results.
45+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
3746 # of the value entered here.
3847 publish_results : true
3948
4049 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
4150 # format to the repository Actions tab.
4251 - name : " Upload artifact"
43- uses : actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
52+ uses : actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
4453 with :
4554 name : SARIF file
4655 path : results.sarif
4756 retention-days : 5
48-
57+
4958 # Upload the results to GitHub's code scanning dashboard.
5059 - name : " Upload to code-scanning"
51- uses : github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
60+ uses : github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag= v1.0.26
5261 with :
5362 sarif_file : results.sarif
0 commit comments