Skip to content

Add Scorecards and SLSA workflows #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacksonpradolima merged 5 commits into from
Jan 1, 2026
Merged

Add Scorecards and SLSA workflows #164

jacksonpradolima merged 5 commits into from
Jan 1, 2026

Conversation

@jacksonpradolima
Copy link
Owner

@jacksonpradolima jacksonpradolima commented Jan 1, 2026

Summary

  • add OpenSSF Scorecards workflow with pinned action SHAs and code scanning upload (default branch set to master)
  • introduce SLSA provenance workflow to build Python artifacts for tagged releases and publish attestations
  • add dependency review workflow using sigstore community reusable workflow with Apache 2.0 header

Testing

  • Not run (workflows only)

Codex Task

Copilot AI review requested due to automatic review settings January 1, 2026 20:27
Copilot AI reviewed Jan 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds three GitHub Actions workflows to enhance the repository's supply chain security posture: OpenSSF Scorecards for security analysis, SLSA provenance generation for build attestations, and dependency review for pull requests.

  • Introduces automated security scanning via OpenSSF Scorecards with weekly scheduled runs and code scanning dashboard integration
  • Adds SLSA Level 3 provenance generation for Python package releases to provide build attestation
  • Implements dependency review workflow to scan pull requests for vulnerable or non-compliant dependencies

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/scorecards-analysis.yml Adds OpenSSF Scorecards workflow with SHA-pinned actions for security analysis and SARIF upload
.github/workflows/slsa-provenance.yml Introduces SLSA provenance workflow to generate build attestations for tagged releases
.github/workflows/dependency-review.yml Adds dependency scanning workflow for pull requests using Sigstore community reusable workflow

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jacksonpradolima
Add badges for security workflows
c622c30
@jacksonpradolima
Remove copyright and license comments from workflow
304d87d 
Removed copyright notice and license information from the dependency review workflow file.

Signed-off-by: Jackson Antonio do Prado Lima <[email protected]>
@jacksonpradolima
Update badge for OpenSSF Scorecard in README
3630679 
Signed-off-by: Jackson Antonio do Prado Lima <[email protected]>
@jacksonpradolima
Fix OpenSSF Scorecard badge link in README
c9b54cb 
Signed-off-by: Jackson Antonio do Prado Lima <[email protected]>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jacksonpradolima jacksonpradolima merged commit e7389ab into master Jan 1, 2026
13 checks passed
@jacksonpradolima jacksonpradolima deleted the codex/explain-slsa-and-scorecards-analysis.yml branch January 1, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacksonpradolima