Add Scorecards and SLSA workflows #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

jacksonpradolima merged 5 commits into master from codex/explain-slsa-and-scorecards-analysis.yml

Jan 1, 2026

.github/workflows/dependency-review.yml

-Original file line number
+Diff line change
@@ -0,0 +1,10 @@
+    name: 'Dependency Review'
+    on: [pull_request]
+    permissions:
+      contents: read
+    jobs:
+      dependency-review:
+        name: License and Vulnerability Scan
+        uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@9b1b5aca605f92ec5b1bf3681b1e61b3dbc420cc

.github/workflows/scorecards-analysis.yml

-Original file line number
+Diff line change
@@ -0,0 +1,57 @@
+    name: Scorecards supply-chain security
+    on:
+      # Only the default branch is supported.
+      workflow_dispatch: # Manual
+      branch_protection_rule:
+      schedule:
+        - cron: '30 4 * * 0'
+      push:
+        branches: [ master ]
+    # Clear default permissions.
+    permissions: {}
+    jobs:
+      analysis:
+        name: Scorecards analysis
+        runs-on: ubuntu-latest
+        permissions:
+          # Needed to upload the results to code-scanning dashboard.
+          security-events: write
+          actions: read
+          contents: read
+          # Needed to access GitHub's OIDC token which ensures the uploaded results integrity.
+          id-token: write
+        steps:
+          - name: "Checkout code"
+            uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+            with:
+              persist-credentials: false
+          - name: "Run analysis"
+            uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+            with:
+              results_file: results.sarif
+              results_format: sarif
+              # Read-only PAT token. To create it,
+              # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
+              repo_token: ${{ secrets.SCORECARD_TOKEN }}
+              # Publish the results to enable scorecard badges. For more details, see
+              # https://github.com/ossf/scorecard-action#publishing-results.
+              # For private repositories, `publish_results` will automatically be set to `false`,
+              # regardless of the value entered here.
+              publish_results: true
+          # Upload the results as artifacts (optional).
+          - name: "Upload artifact"
+            uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+            with:
+              name: SARIF file
+              path: results.sarif
+              retention-days: 5
+          # Upload the results to GitHub's code scanning dashboard.
+          - name: "Upload to code-scanning"
+            uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+            with:
+              sarif_file: results.sarif

.github/workflows/slsa-provenance.yml

-Original file line number
+Diff line change
@@ -0,0 +1,28 @@
+    name: SLSA provenance for releases
+    on:
+      workflow_dispatch:
+      push:
+        tags:
+          - 'v*'
+    permissions: {}
+    jobs:
+      provenance:
+        name: Generate SLSA provenance
+        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+        permissions:
+          actions: read
+          contents: write
+          id-token: write
+        with:
+          build-command: |
+            python -m pip install --upgrade pip
+            pip install build
+            python -m build
+            mkdir -p artifacts
+            shopt -s nullglob
+            cp dist/*.whl dist/*.tar.gz artifacts/
+          provenance-name: gsppy-provenance.intoto.jsonl
+          upload-assets: true

README.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,9 @@ @@
     [![PyPI version](https://badge.fury.io/py/gsppy.svg)](https://pypi.org/project/gsppy)
     ![](https://img.shields.io/badge/python-3.10+-blue.svg)
     [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.3333987.svg)](https://doi.org/10.5281/zenodo.3333987)
+    [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/jacksonpradolima/gsp-py/badge)](https://securityscorecards.dev/viewer/?uri=github.com/jacksonpradolima/gsp-py)
+    [![SLSA provenance](https://github.com/jacksonpradolima/gsp-py/actions/workflows/slsa-provenance.yml/badge.svg?branch=master)](https://github.com/jacksonpradolima/gsp-py/actions/workflows/slsa-provenance.yml)
+    [![Dependency Review](https://github.com/jacksonpradolima/gsp-py/actions/workflows/dependency-review.yml/badge.svg?branch=master)](https://github.com/jacksonpradolima/gsp-py/actions/workflows/dependency-review.yml)
     [![PyPI Downloads](https://img.shields.io/pypi/dm/gsppy.svg?style=flat-square)](https://pypi.org/project/gsppy/)
     [![Docs](https://img.shields.io/badge/Docs-GSP--Py%20Site-3D9970?style=flat-square)](https://jacksonpradolima.github.io/gsp-py/)
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add Scorecards and SLSA workflows #164

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!