1name: Scorecards supply-chain security 2on: 3 # Only the default branch is supported. 4 branch_protection_rule: 5 schedule: 6 - cron: '23 17 * * 1' 7 push: 8 branches: [ master ] 9 10# Declare default permissions as read only. 11permissions: read-all 12 13jobs: 14 analysis: 15 name: Scorecards analysis 16 runs-on: ubuntu-latest 17 permissions: 18 # Needed to upload the results to code-scanning dashboard. 19 security-events: write 20 actions: read 21 contents: read 22 23 steps: 24 - name: "Checkout code" 25 uses: actions/checkout@v4 26 with: 27 persist-credentials: false 28 29 - name: "Run analysis" 30 uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1 31 with: 32 results_file: results.sarif 33 results_format: sarif 34 # Read-only PAT token. To create it, 35 # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. 36 repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} 37 # Publish the results to enable scorecard badges. For more details, see 38 # https://github.com/ossf/scorecard-action#publishing-results. 39 # For private repositories, `publish_results` will automatically be set to `false`, 40 # regardless of the value entered here. 41 publish_results: true 42 43 # Upload the results as artifacts (optional). 44 - name: "Upload artifact" 45 uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 46 with: 47 name: SARIF file 48 path: results.sarif 49 retention-days: 5 50 51 # Upload the results to GitHub's code scanning dashboard. 52 - name: "Upload to code-scanning" 53 uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 54 with: 55 sarif_file: results.sarif 56