1name: ossf-scorecard 2on: 3 # Only the default branch is supported. 4 branch_protection_rule: 5 workflow_dispatch: 6 schedule: 7 - cron: '32 16 * * 3' 8 push: 9 branches: [ "main" ] 10 11# Declare default permissions as read only. 12permissions: read-all 13 14jobs: 15 analysis: 16 name: Scorecards analysis 17 runs-on: ubuntu-latest 18 permissions: 19 # Needed to upload the results to code-scanning dashboard. 20 security-events: write 21 # Used to receive a badge. 22 id-token: write 23 24 if: false && github.repository == 'pytorch/pytorch' # don't run on forks 25 26 steps: 27 - name: "Checkout code" 28 uses: actions/checkout@v3 29 with: 30 persist-credentials: false 31 32 - name: "Run analysis" 33 uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 34 with: 35 results_file: results.sarif 36 results_format: sarif 37 38 # Publish the results for public repositories to enable scorecard badges. For more details, see 39 # https://github.com/ossf/scorecard-action#publishing-results. 40 publish_results: true 41 42 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF 43 # format to the repository Actions tab. 44 - name: "Upload artifact" 45 uses: actions/upload-artifact@v3 46 with: 47 name: SARIF file 48 path: results.sarif 49 retention-days: 5 50 51 # Upload the results to GitHub's code scanning dashboard. 52 - name: "Upload to code-scanning" 53 uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 54 with: 55 sarif_file: results.sarif 56