1515# limitations under the License.
1616#
1717
18+ # #
19+ # WARNING: due to a difference in the name of the main branch in
20+ # `logging-parent` and this repo, Scorecard fails if we use reusable workflows.
21+ # #
1822name : scorecards-analysis
1923
2024on :
@@ -29,10 +33,43 @@ permissions: read-all
2933jobs :
3034
3135 analysis :
32- uses : apache/logging-parent/.github/workflows/scorecards-analysis-reusable.yaml@rel/10.5.0
36+
37+ name : " Scorecards analysis"
38+ runs-on : ubuntu-latest
3339 permissions :
3440 # Needed to upload the results to the code-scanning dashboard.
3541 security-events : write
3642 actions : read
3743 id-token : write # This is required for requesting the JWT
3844 contents : read # This is required for actions/checkout
45+
46+ steps :
47+
48+ - name : " Checkout code"
49+ uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # 4.1.1
50+ with :
51+ persist-credentials : false
52+
53+ - name : " Run analysis"
54+ uses : ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # 2.3.1
55+ with :
56+ results_file : results.sarif
57+ results_format : sarif
58+ # A read-only PAT token, which is sufficient for the action to function.
59+ # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188
60+ repo_token : ${{ secrets.GITHUB_TOKEN }}
61+ # Publish the results for public repositories to enable scorecard badges.
62+ # For more details: https://github.com/ossf/scorecard-action#publishing-results
63+ publish_results : true
64+
65+ - name : " Upload artifact"
66+ uses : actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # 3.1.0
67+ with :
68+ name : SARIF file
69+ path : results.sarif
70+ retention-days : 5
71+
72+ - name : " Upload to code-scanning"
73+ uses : github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # 2.1.22
74+ with :
75+ sarif_file : results.sarif
0 commit comments