Mercurial > p > roundup > code
comparison .github/workflows/ossf-scorecard.yml @ 7125:264ddc581f4f
add ossf-scorecard security evaluation
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 23 Jan 2023 20:28:55 -0500 |
| parents | |
| children | 1be1eedbf593 |
comparison
equal
deleted
inserted
replaced
| 7124:e65f808d55eb | 7125:264ddc581f4f |
|---|---|
| 1 # This workflow uses actions that are not certified by GitHub. They are provided | |
| 2 # by a third-party and are governed by separate terms of service, privacy | |
| 3 # policy, and support documentation. | |
| 4 | |
| 5 name: Scorecard supply-chain security | |
| 6 on: | |
| 7 # For Branch-Protection check. Only the default branch is supported. See | |
| 8 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | |
| 9 branch_protection_rule: | |
| 10 # To guarantee Maintained check is occasionally updated. See | |
| 11 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | |
| 12 schedule: | |
| 13 - cron: '25 21 * * 5' | |
| 14 push: | |
| 15 branches: [ "master" ] | |
| 16 | |
| 17 # Declare default permissions as read only. | |
| 18 permissions: read-all | |
| 19 | |
| 20 jobs: | |
| 21 analysis: | |
| 22 name: Scorecard analysis | |
| 23 runs-on: ubuntu-latest | |
| 24 permissions: | |
| 25 # Needed to upload the results to code-scanning dashboard. | |
| 26 security-events: write | |
| 27 # Needed to publish results and get a badge (see publish_results below). | |
| 28 id-token: write | |
| 29 # Uncomment the permissions below if installing in a private repository. | |
| 30 # contents: read | |
| 31 # actions: read | |
| 32 | |
| 33 steps: | |
| 34 - name: "Checkout code" | |
| 35 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 | |
| 36 with: | |
| 37 persist-credentials: false | |
| 38 | |
| 39 - name: "Run analysis" | |
| 40 uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 | |
| 41 with: | |
| 42 results_file: results.sarif | |
| 43 results_format: sarif | |
| 44 # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: | |
| 45 # - you want to enable the Branch-Protection check on a *public* repository, or | |
| 46 # - you are installing Scorecard on a *private* repository | |
| 47 # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. | |
| 48 # repo_token: ${{ secrets.SCORECARD_TOKEN }} | |
| 49 | |
| 50 # Public repositories: | |
| 51 # - Publish results to OpenSSF REST API for easy access by consumers | |
| 52 # - Allows the repository to include the Scorecard badge. | |
| 53 # - See https://github.com/ossf/scorecard-action#publishing-results. | |
| 54 # For private repositories: | |
| 55 # - `publish_results` will always be set to `false`, regardless | |
| 56 # of the value entered here. | |
| 57 publish_results: true | |
| 58 | |
| 59 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | |
| 60 # format to the repository Actions tab. | |
| 61 - name: "Upload artifact" | |
| 62 uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 | |
| 63 with: | |
| 64 name: SARIF file | |
| 65 path: results.sarif | |
| 66 retention-days: 5 | |
| 67 | |
| 68 # Upload the results to GitHub's code scanning dashboard. | |
| 69 - name: "Upload to code-scanning" | |
| 70 uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 | |
| 71 with: | |
| 72 sarif_file: results.sarif |