| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- name: OSSF Scorecard
- on:
- push:
- branches:
- - main
- schedule:
- - cron: "56 23 * * 6" # once a week
- workflow_dispatch:
- permissions: read-all
- jobs:
- analysis:
- runs-on: ubuntu-latest
- permissions:
- # Needed for Code scanning upload
- security-events: write
- # Needed for GitHub OIDC token if publish_results is true
- id-token: write
- steps:
- - name: Harden the runner (Audit all outbound calls)
- uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
- with:
- egress-policy: audit
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- persist-credentials: false
- - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
- with:
- results_file: results.sarif
- results_format: sarif
- publish_results: true
- # Upload the results as artifacts (optional). Commenting out will disable
- # uploads of run results in SARIF format to the repository Actions tab.
- # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
- - name: "Upload artifact"
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- with:
- name: SARIF file
- path: results.sarif
- retention-days: 5
- # Upload the results to GitHub's code scanning dashboard (optional).
- # Commenting out will disable upload of results to your repo's Code Scanning dashboard
- - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
- with:
- sarif_file: results.sarif
|
