diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1102643d3..59a90f0d1 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,41 +1,26 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - -name: Scorecard supply-chain security +name: Scorecard analysis workflow on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '20 8 * * 4' push: - branches: [ "develop" ] + # Only the default branch is supported. + branches: + - develop + schedule: + # Weekly on Saturdays. + - cron: '30 1 * * 6' -# Declare default permissions as read only. permissions: read-all jobs: analysis: name: Scorecard analysis - runs-on: blacksmith-4vcpu-ubuntu-2204 + runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. + # Needed for Code scanning upload security-events: write - # Needed to publish results and get a badge (see publish_results below). + # Needed for GitHub OIDC token if publish_results is true id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -48,10 +33,25 @@ jobs: results_file: results.sarif # OUTPUT: format of the results [json, sarif] results_format: sarif - # INPUT: Publish results - publish_results: true + # Scorecard team runs a weekly scan of public GitHub repos, + # see https://github.com/ossf/scorecard#public-data. + # Setting `publish_results: true` helps us scale by leveraging your workflow to + # extract the results instead of relying on our own infrastructure to run scans. + # And it's free for you! + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable + # uploads of run results in SARIF format to the repository Actions tab. + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + - name: "Upload artifact" + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 with: