Skip to content

Scorecards supply-chain security #1535

Scorecards supply-chain security

Scorecards supply-chain security #1535

name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
# Weekly on Saturdays.
- cron: '30 1 * * 6'
push:
branches:
- main
- 'release-**'
# Declare default permissions as none.
permissions: {}
jobs:
analysis:
name: Scorecard analysis
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
uses: sigstore/community/.github/workflows/reusable-scorecard.yml@main
# (Optional) Disable publish results:
# with:
# publish_results: false
# (Optional) Enable Branch-Protection check:
secrets:
scorecard_token: ${{ secrets.SCORECARD_TOKEN }}