• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Licensed to the Apache Software Foundation (ASF) under one or more
2# contributor license agreements. See the NOTICE file distributed with
3# this work for additional information regarding copyright ownership.
4# The ASF licenses this file to You under the Apache license, Version 2.0
5# (the "License"); you may not use this file except in compliance with
6# the License. You may obtain a copy of the License at
7#
8#      http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the license for the specific language governing permissions and
14# limitations under the license.
15
16name: "Scorecards supply-chain security"
17
18on:
19  branch_protection_rule:
20  schedule:
21    - cron: "30 1 * * 6"    # Weekly on Saturdays
22  push:
23    branches: [ "master" ]
24
25permissions: read-all
26
27jobs:
28
29  analysis:
30
31    name: "Scorecards analysis"
32    runs-on: ubuntu-latest
33    permissions:
34      # Needed to upload the results to the code-scanning dashboard.
35      security-events: write
36      actions: read
37      id-token: write # This is required for requesting the JWT
38      contents: read  # This is required for actions/checkout
39
40    steps:
41
42      - name: "Checkout code"
43        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
44        with:
45          persist-credentials: false
46
47      - name: "Run analysis"
48        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398    # 2.3.0
49        with:
50          results_file: results.sarif
51          results_format: sarif
52          # A read-only PAT token, which is sufficient for the action to function.
53          # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188
54          repo_token: ${{ secrets.GITHUB_TOKEN }}
55          # Publish the results for public repositories to enable scorecard badges.
56          # For more details: https://github.com/ossf/scorecard-action#publishing-results
57          publish_results: true
58
59      - name: "Upload artifact"
60        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32    # 3.1.3
61        with:
62          name: SARIF file
63          path: results.sarif
64          retention-days: 5
65
66      - name: "Upload to code-scanning"
67        uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1    # 2.22.3
68        with:
69          sarif_file: results.sarif
70