From f70f9c8252eb9b8f08f52c35e28be7337259bd13 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Mon, 24 Feb 2025 11:11:43 -0700 Subject: [PATCH 1/3] bump action versions to latest to resolve issues 1. Scorecard update v2.4.1 was released, which includes months of bug fixes and a new `file_mode` input to address a .gitattributes bug. 2. Bumped actions/upload-artifact to the v4 branch. This was previously kept at v3 as GHES doesn't support v4, but github.com no longer supports v3: as uploads return the following error "Create Artifact Container failed: The artifact name JSON file is not valid." Signed-off-by: Spencer Schrock --- code-scanning/scorecard.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index b58ec1f..9381468 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -32,12 +32,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -56,10 +56,13 @@ jobs: # of the value entered here. publish_results: true + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: SARIF file path: results.sarif From 41e00af395c8dace730165ef22d546e504b5c305 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Tue, 4 Feb 2025 15:54:05 -0500 Subject: [PATCH 2/3] Limit scorecard to default branch Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- code-scanning/scorecard.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 9381468..248c9f9 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,6 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest + # This action only works when run from the default branch + if: github.event.repository.default_branch == github.ref_name permissions: # Needed to upload the results to code-scanning dashboard. security-events: write From 4a5b4939a642720a98cb0c99db033cf7722eeced Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Mon, 24 Feb 2025 11:19:07 -0700 Subject: [PATCH 3/3] add future looking pull_request event to conditional Scorecard currently has experimental support for the `pull_request` trigger, so we want to allow analysis to be run for it in the future. Signed-off-by: Spencer Schrock --- code-scanning/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 248c9f9..b5b838e 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,8 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest - # This action only works when run from the default branch - if: github.event.repository.default_branch == github.ref_name + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' permissions: # Needed to upload the results to code-scanning dashboard. security-events: write