Home | History | Annotate | Line # | Download | only in workflows 
      1 name: Scorecards supply-chain security
      2 on:
      3   # Only the default branch is supported.
      4   branch_protection_rule:
      5   schedule:
      6     - cron: '22 21 * * 2'
      7   push:
      8     # TODO: Add release branch when supported?
      9     branches: [ "dev" ]
     10 
     11 # Declare default permissions as read only.
     12 permissions: read-all
     13 
     14 jobs:
     15   analysis:
     16     name: Scorecards analysis
     17     if: github.repository == 'facebook/zstd'
     18     runs-on: ubuntu-latest
     19     permissions:
     20       # Needed to upload the results to code-scanning dashboard.
     21       security-events: write
     22       # Used to receive a badge.
     23       id-token: write
     24       # Needs for private repositories.
     25       contents: read
     26       actions: read
     27 
     28     steps:
     29       - name: "Checkout code"
     30         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3
     31         with:
     32           persist-credentials: false
     33 
     34       - name: "Run analysis"
     35         uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1
     36         with:
     37           results_file: results.sarif
     38           results_format: sarif
     39           # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
     40           # - you want to enable the Branch-Protection check on a *public* repository, or
     41           # - you are installing Scorecards on a *private* repository
     42           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
     43           # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
     44 
     45           # Publish the results for public repositories to enable scorecard badges. For more details, see
     46           # https://github.com/ossf/scorecard-action#publishing-results.
     47           # For private repositories, `publish_results` will automatically be set to `false`, regardless
     48           # of the value entered here.
     49           publish_results: true
     50 
     51       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
     52       # format to the repository Actions tab.
     53       - name: "Upload artifact"
     54         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
     55         with:
     56           name: SARIF file
     57           path: results.sarif
     58           retention-days: 5
     59 
     60       # Upload the results to GitHub's code scanning dashboard.
     61       - name: "Upload to code-scanning"
     62         uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # tag=v3.24.7
     63         with:
     64           sarif_file: results.sarif
     65