OpenSSF Scorecard #36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OpenSSF Scorecard | |
| on: | |
| # Run weekly on Monday at 00:00 UTC | |
| schedule: | |
| - cron: '0 0 * * 1' | |
| # Allow manual trigger | |
| workflow_dispatch: | |
| # Run on push to main for initial setup | |
| push: | |
| branches: | |
| - main | |
| # Set top-level permissions to read-only as required by OpenSSF scorecard-action | |
| permissions: read-all | |
| jobs: | |
| analysis: | |
| name: Scorecard analysis | |
| runs-on: ubuntu-latest | |
| # Grant write permissions at job level for uploading results | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Run analysis | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| # Publish results to OpenSSF REST API for the badge | |
| publish_results: true | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| retention-days: 5 | |
| - name: Upload to code-scanning | |
| uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4 | |
| with: | |
| sarif_file: results.sarif |