Mercurial > p > roundup > code
annotate .github/workflows/ossf-scorecard.yml @ 8264:09e8d1a4c796
docs: clarify wording, fix index, add superseder link
Make superseder, messages etc. properties index entries point to the
right place.
Link to description of using Superseder in the original overview.
fix bad wording on boolean properties.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 08 Jan 2025 11:39:54 -0500 |
| parents | edd93fa4a5ec |
| children | 85198b53b999 |
| rev | line source |
|---|---|
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 # This workflow uses actions that are not certified by GitHub. They are provided |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 # by a third-party and are governed by separate terms of service, privacy |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 # policy, and support documentation. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 name: Scorecard supply-chain security |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 on: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 # For Branch-Protection check. Only the default branch is supported. See |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 branch_protection_rule: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 # To guarantee Maintained check is occasionally updated. See |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 schedule: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 - cron: '25 21 * * 5' |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 push: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 branches: [ "master" ] |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 # Declare default permissions as read only. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 permissions: read-all |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 jobs: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 analysis: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 name: Scorecard analysis |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 runs-on: ubuntu-latest |
|
7194
8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents:
7186
diff
changeset
|
24 |
|
8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents:
7186
diff
changeset
|
25 if: "!contains(github.event.head_commit.message, 'no-github-ci')" |
|
8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents:
7186
diff
changeset
|
26 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
27 permissions: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
28 # Needed to upload the results to code-scanning dashboard. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
29 security-events: write |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 # Needed to publish results and get a badge (see publish_results below). |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 id-token: write |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 # Uncomment the permissions below if installing in a private repository. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 # contents: read |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 # actions: read |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 steps: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 - name: "Checkout code" |
|
7729
edd93fa4a5ec
chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents:
7657
diff
changeset
|
38 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 persist-credentials: false |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 - name: "Run analysis" |
|
7729
edd93fa4a5ec
chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents:
7657
diff
changeset
|
43 uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.10 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 results_file: results.sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 results_format: sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
48 # - you want to enable the Branch-Protection check on a *public* repository, or |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
49 # - you are installing Scorecard on a *private* repository |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
50 # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
51 # repo_token: ${{ secrets.SCORECARD_TOKEN }} |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
52 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
53 # Public repositories: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
54 # - Publish results to OpenSSF REST API for easy access by consumers |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
55 # - Allows the repository to include the Scorecard badge. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
56 # - See https://github.com/ossf/scorecard-action#publishing-results. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
57 # For private repositories: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
58 # - `publish_results` will always be set to `false`, regardless |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
59 # of the value entered here. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
60 publish_results: true |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
61 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
62 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
63 # format to the repository Actions tab. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
64 - name: "Upload artifact" |
|
7729
edd93fa4a5ec
chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents:
7657
diff
changeset
|
65 uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
66 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
67 name: SARIF file |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
68 path: results.sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
69 retention-days: 5 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
70 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
71 # Upload the results to GitHub's code scanning dashboard. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
72 - name: "Upload to code-scanning" |
|
7729
edd93fa4a5ec
chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents:
7657
diff
changeset
|
73 uses: github/codeql-action/upload-sarif@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
74 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
75 sarif_file: results.sarif |