From 0468dbc6ce21db4ed7a7996974682d3343892970 Mon Sep 17 00:00:00 2001 From: Jennifer Power Date: Tue, 1 Oct 2024 17:41:44 -0400 Subject: [PATCH] chore: add openssf scorecard workflow Signed-off-by: Jennifer Power --- .github/workflows/scorecard.yml | 49 +++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..76d75a8 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,49 @@ +name: Scorecard analysis workflow +on: + push: + # Only the default branch is supported. + branches: + - main + schedule: + # Weekly on Saturdays. + - cron: '30 1 * * 6' + +permissions: read-all + +jobs: + analysis: + if: github.repository == 'RedHatProductSecurity/trestle-bot' + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed for Code scanning upload + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload artifact + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + with: + sarif_file: results.sarif \ No newline at end of file