From a80536a617f6eb6cf9f1c398f5f163c24ec03e21 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:46:58 +0000 Subject: [PATCH 1/2] Scorecard v1.1.0 hash bump --- code-scanning/scorecards.yml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a6bde3a..846988e 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,37 +17,43 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write actions: read contents: read - + steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 + uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 866ad3b83c8b7a0f0730c2a7ce908c46784c8a74 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:50:13 +0000 Subject: [PATCH 2/2] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 846988e..28fb7f3 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,7 +24,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -48,7 +48,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif