name: Scorecards supply-chain security on: # Only the default branch is supported. branch_protection_rule: schedule: # Weekly on Saturdays. - cron: '30 1 * * 6' push: branches: [ $default-branch ] # Declare default permissions as read only. permissions: read-all jobs: analysis: name: Scorecards analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write steps: - name: "Checkout code" uses: actions/checkout@v1 - name: "Run analysis" uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b with: results_file: results.sarif results_format: sarif # For the token, # 1. Create a PAT token at https://github.com/settings/tokens/new # with the following read permissions: # - Note: OSSF Scorecard read-only token # - Expiration: No expiration # - Scopes: # * repo > public_repo # * admin:org > read:org # * admin:repo_hook > read:repo_hook # * write:discussion > read:discussion # # Create and copy the token. # # 2. Create a new repository secret at https://github.com///settings/secrets/actions # with the following settings: # - Name: SCORECARD_TOKEN # - Value: the value of the token created in step 1 above. repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track # the overall security health of the open source ecosystem. # Setting `publish_results: true` replaces the results of the team's weelky scans, # helping us scale by cutting down on repeated workflows and GitHub API requests. # This option is needed to enable badges on the repo. publish_results: true # Upload the results as artifacts. # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # This is optional. - name: "Upload artifact" # Note: scorecard will flag this line if not pinned by hash. uses: actions/upload-artifact@v2 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" # Note: scorecard will flag this line if not pinned by hash. uses: github/codeql-action/upload-sarif@v1 with: sarif_file: results.sarif