• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1name: Scorecards supply-chain security
2on:
3  # Only the default branch is supported.
4  branch_protection_rule:
5  schedule:
6    - cron: '22 21 * * 2'
7  push:
8    # TODO: Add release branch when supported?
9    branches: [ "dev" ]
10
11# Declare default permissions as read only.
12permissions: read-all
13
14jobs:
15  analysis:
16    name: Scorecards analysis
17    if: github.repository == 'facebook/zstd'
18    runs-on: ubuntu-latest
19    permissions:
20      # Needed to upload the results to code-scanning dashboard.
21      security-events: write
22      # Used to receive a badge.
23      id-token: write
24      # Needs for private repositories.
25      contents: read
26      actions: read
27
28    steps:
29      - name: "Checkout code"
30        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3
31        with:
32          persist-credentials: false
33
34      - name: "Run analysis"
35        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.4.0
36        with:
37          results_file: results.sarif
38          results_format: sarif
39          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
40          # - you want to enable the Branch-Protection check on a *public* repository, or
41          # - you are installing Scorecards on a *private* repository
42          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
43          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
44
45          # Publish the results for public repositories to enable scorecard badges. For more details, see
46          # https://github.com/ossf/scorecard-action#publishing-results.
47          # For private repositories, `publish_results` will automatically be set to `false`, regardless
48          # of the value entered here.
49          publish_results: true
50
51      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
52      # format to the repository Actions tab.
53      - name: "Upload artifact"
54        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
55        with:
56          name: SARIF file
57          path: results.sarif
58          retention-days: 5
59
60      # Upload the results to GitHub's code scanning dashboard.
61      - name: "Upload to code-scanning"
62        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # tag=v3.28.9
63        with:
64          sarif_file: results.sarif
65