diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a756c2b..cbd0e01 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,5 +1,5 @@ name: Scorecards supply-chain security -on: +on: # Only the default branch is supported. branch_protection_rule: schedule: @@ -19,7 +19,7 @@ jobs: security-events: write actions: read contents: read - + steps: - name: "Checkout code" uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 @@ -36,8 +36,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # Note: for private repositories, the value of `publish_results` set here - # is ignored and defaults to false. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. publish_results: true # Upload the results as artifacts (optional). @@ -47,7 +47,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26