| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 |
- name: Scorecards supply-chain security
- on:
- # Only the default branch is supported.
- branch_protection_rule:
- schedule:
- - cron: '31 8 * * 6'
- push:
- branches: [ master ]
- # Declare default permissions as read only.
- permissions: read-all
- jobs:
- analysis:
- name: Scorecards analysis
- runs-on: ubuntu-latest
- permissions:
- # Needed to upload the results to code-scanning dashboard.
- security-events: write
- actions: read
- contents: read
- steps:
- - name: "Checkout code"
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- with:
- persist-credentials: false
- - name: "Run analysis"
- uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1
- with:
- results_file: results.sarif
- results_format: sarif
- # Read-only PAT token. To create it,
- # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
- repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
- # Publish the results to enable scorecard badges. For more details, see
- # https://github.com/ossf/scorecard-action#publishing-results.
- # For private repositories, `publish_results` will automatically be set to `false`,
- # regardless of the value entered here.
- publish_results: true
- # Upload the results as artifacts (optional).
- - name: "Upload artifact"
- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
- with:
- name: SARIF file
- path: results.sarif
- retention-days: 5
- # Upload the results to GitHub's code scanning dashboard.
- - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
- with:
- sarif_file: results.sarif
|
