Skip to content

Commit 3274541

Browse files
reactive-firewallreactive-firewall
committed
[HOTFIX] Update Scorecard action
Changes in file .github/workflows/scorecard.yml: - add hardening step - minor refactoring
1 parent be3c9d5 commit 3274541

File tree

1 file changed

+18
-10
lines changed

1 file changed

+18
-10
lines changed

.github/workflows/scorecard.yml

Lines changed: 18 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,14 @@
1+
# .github/workflows/scorecard.yml
2+
# Referance: https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml
13
---
2-
name: Scorecards supply-chain security
4+
name: Scorecard analysis workflow
35
on: # yamllint disable-line rule:truthy
4-
# Only the default branch is supported.
5-
branch_protection_rule:
6-
schedule:
7-
- cron: '34 9 * * 5'
86
push:
7+
# Only the default branch is supported.
98
branches: ["master"]
9+
schedule:
10+
# Weekly on Fridays.
11+
- cron: '34 9 * * 5'
1012

1113
# Declare default permissions as read only.
1214
permissions: {}
@@ -16,16 +18,20 @@ jobs:
1618
name: Scorecards analysis
1719
runs-on: ubuntu-latest
1820
permissions:
19-
# Needed to upload the results to code-scanning dashboard.
21+
# Needed to read contents.
2022
contents: read
23+
# Needed to upload the results to code-scanning dashboard.
2124
security-events: write
25+
# Needed for GitHub OIDC token if publish_results is true
26+
id-token: write
2227

2328
steps:
24-
- name: Checkout repository
29+
- name: "Checkout repository"
2530
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2631
with:
2732
persist-credentials: false
28-
33+
- name: Harden-Runner
34+
uses: step-security/[email protected]
2935
- name: "Run analysis"
3036
uses: ossf/scorecard-action@83a1bb1ff6a010f9ab75ad12160fe70252c99b71 # v2.4.1
3137
with:
@@ -40,7 +46,9 @@ jobs:
4046
# or comment out the following line.
4147
publish_results: true
4248

43-
# Upload the results as artifacts (optional).
49+
# Upload the results as artifacts (optional). Commenting out will disable
50+
# uploads of run results in SARIF format to the repository Actions tab.
51+
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
4452
- name: "Upload artifact"
4553
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
4654
with:
@@ -50,6 +58,6 @@ jobs:
5058

5159
# Upload the results to GitHub's code scanning dashboard.
5260
- name: "Upload to code-scanning"
53-
uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27
61+
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
5462
with:
5563
sarif_file: results.sarif

0 commit comments

Comments
 (0)