Run OSSF Scorecard on pushes to the action repos

jasonkarns · jasonkarns · commit c9969a03acb7 · 2025-06-20T17:22:44.000-04:00
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
@@ -3,8 +3,30 @@ on:
   push: { branches: main }
   workflow_dispatch:
 
-permissions: { contents: write }
+permissions: read-all
 
 jobs:
   sync:
     uses: nodenv/actions/.github/workflows/sync-refs.yml@main
+    permissions: { contents: write }
+
+  ossf-scorecard:
+    if: github.ref_name == github.event.repository.default_branch
+    permissions: { id-token: write, security-events: write }
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with: { egress-policy: audit }
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: ossf-scorecard-results.sarif
+          results_format: sarif
+          publish_results: true
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: ossf-scorecard-results.sarif
+          path: ossf-scorecard-results.sarif
+      - uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        with:
+          sarif_file: ossf-scorecard-results.sarif
