name: Scorecards supply-chain security on: # Only the default branch is supported. branch_protection_rule: schedule: - cron: $cron-weekly push: branches: [ $default-branch ] # Declare default permissions as read only. permissions: read-all jobs: analysis: name: Scorecards analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write steps: - name: "Checkout code" uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b with: results_file: results.sarif results_format: sarif # For the token, # 1. Create a PAT token at https://github.com/settings/tokens/new # with the following read permissions: # - Note: OSSF Scorecard read-only token # - Expiration: No expiration # - Scopes: # * repo > public_repo # * admin:org > read:org # * admin:repo_hook > read:repo_hook # * write:discussion > read:discussion # # Create and copy the token. # # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new # with the following settings: # - Name: SCORECARD_TOKEN # - Value: the value of the token created in step 1 above. repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track # the overall security health of the open source ecosystem. The results are publicly # available as described at https://github.com/ossf/scorecard#public-data. # Setting `publish_results: true` replaces the results of the team's weelky scans, # helping us scale by cutting down on repeated workflows and GitHub API requests. # This option is needed to enable badges on the repo. If you're installing the action # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true # Upload the results as artifacts. # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # This is optional. - name: "Upload artifact" uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: sarif_file: results.sarif