Skip to content

CID - OSSF Scorecard #38

CID - OSSF Scorecard

CID - OSSF Scorecard #38

Workflow file for this run

# cid-workflow-version: 0.0.24
# This file is generated by the CID Workflow GitHub App.
# DO NOT EDIT!
# name
name: CID - OSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '40 23 * * 5'
# Allow manual triggering of the workflow
workflow_dispatch:
# Read Permissions. See
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
permissions: read-all
# Cancel in progress jobs when a new run starts on the same ref
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true
jobs:
analysis:
name: OSSF Scorecard Analysis
runs-on: ubuntu-latest
permissions:
id-token: write # needed to publish results
actions: read # required in private repos
contents: read # required in private repos
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >-
api.github.com:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
codeload.github.com:443
downloads.gradle.org:443
github.com:443
jcenter.bintray.com:443
kotlinlang.org:443
objects.githubusercontent.com:443
plugins-artifacts.gradle.org:443
plugins.gradle.org:443
quay.io:443
raw.githubusercontent.com:443
repo.maven.apache.org:443
repo1.maven.org:443
services.gradle.org:443
uploads.github.com:443
api.securityscorecards.dev:443
api.scorecard.dev:443
api.deps.dev:443
api.osv.dev:443
www.bestpractices.dev:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
fulcio.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
- name: OSSF Analysis
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true # publish results to OpenSSF REST API
- name: Upload Analysis Result
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: SARIF file
path: results.sarif
retention-days: 5