Commit Graph

8 Commits

Author SHA1 Message Date
Spencer Schrock 4a5b4939a6 add future looking pull_request event to conditional
Scorecard currently has experimental support for the `pull_request`
trigger, so we want to allow analysis to be run for it in the future.

Signed-off-by: Spencer Schrock <sschrock@google.com>
2025-02-24 11:32:33 -07:00
Josh Soref 41e00af395 Limit scorecard to default branch
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-02-24 11:32:28 -07:00
Spencer Schrock f70f9c8252 bump action versions to latest to resolve issues
1. Scorecard update v2.4.1 was released, which includes months of bug
   fixes and a new `file_mode` input to address a .gitattributes bug.
2. Bumped actions/upload-artifact to the v4 branch. This was previously
   kept at  v3 as GHES doesn't support v4, but github.com no longer
   supports v3: as uploads return the following error "Create Artifact
   Container failed: The artifact name JSON file is not valid."

  Signed-off-by: Spencer Schrock <sschrock@google.com>
2025-02-24 11:27:23 -07:00
Josh Soref 570cd926cd Switch github upload sarif to tag
GitHub owed actions are allowed to use tags instead of SHAs

Co-authored-by: Jacob Wallraff <thyeggman@github.com>
2024-07-29 14:37:50 -04:00
Josh Soref 763a1a60f8 Upload-Sarif: Update all workflows to use Upload-Sarif V3 2024-07-25 09:43:06 -04:00
Spencer Schrock 4620c76b38 update Scorecard Action hashes and version comments (#2348)
* update action hashes and version comments

ossf/scorecard-action v2.1.2 is old and doesnt work after a Sigstore
change. https://blog.sigstore.dev/tuf-root-update/

Signed-off-by: Spencer Schrock <sschrock@google.com>

* downgrade actions/upload-artifact to node20 version of v3

dependabot will suggest upgrade to v4.3.1 for repos that can upgrade.
note: v3.pre.node20 is how dependabot refers to the pinned hash, so
use that so it can upgrade the comment

Signed-off-by: Spencer Schrock <sschrock@google.com>

* upgrade github/codeql-action/upload-sarif to v3.24.9

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Alexis Abril <alexisabril@github.com>
2024-03-27 13:25:03 -07:00
Chris Carini 10f6091ee8 Update scorecard.yml with latest releases (#1944)
Update scorecard.yml with latest releases for ossf/scorecard-action & github/codeql-action/upload-sarif
2023-02-16 11:39:52 +05:30
Gabriela Gutierrez 9f245d9aba Update 'Scorecards' occurrences to 'Scorecard' (#1889)
* Update Scorecard naming occurences

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* Update Scorecard icon naming

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* Update Scorecard workflow naming

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Co-authored-by: Sampark Sharma <phantsure@github.com>
2023-01-03 13:49:28 +05:30