From 5d298ab86babce41e16c3612391d4f02492901b2 Mon Sep 17 00:00:00 2001 From: Tracy Kuhrt Date: Thu, 6 Jun 2024 09:50:57 -0700 Subject: [PATCH 1/3] chore: Create scorecard.yml Add support for [OpenSSF Scorecard](https://scorecard.dev) Signed-off-by: Tracy Kuhrt --- .github/workflows/scorecard.yml | 53 +++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..042ea4c2 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,53 @@ +name: OpenSSF Scorecard supply-chain security +on: + schedule: + - cron: '00 08 * * 5' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif From d2d788e256661f18830caae8d49e7e81ded55b10 Mon Sep 17 00:00:00 2001 From: Tracy Kuhrt Date: Thu, 6 Jun 2024 11:39:12 -0700 Subject: [PATCH 2/3] Update scorecard.yml Only update on schedule, not on pull Signed-off-by: Tracy Kuhrt --- .github/workflows/scorecard.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 042ea4c2..fdecfd09 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,8 +2,6 @@ name: OpenSSF Scorecard supply-chain security on: schedule: - cron: '00 08 * * 5' - push: - branches: [ "main" ] # Declare default permissions as read only. permissions: read-all From 21c5e4683df7cf818540913ce19bf5312ca9b215 Mon Sep 17 00:00:00 2001 From: Timo Glastra Date: Thu, 6 Jun 2024 21:04:40 +0200 Subject: [PATCH 3/3] Update .github/workflows/scorecard.yml Signed-off-by: Timo Glastra --- .github/workflows/scorecard.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fdecfd09..386fed5d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,7 +1,7 @@ name: OpenSSF Scorecard supply-chain security on: schedule: - - cron: '00 08 * * 5' + - cron: "00 08 * * 5" # Declare default permissions as read only. permissions: read-all @@ -49,3 +49,4 @@ jobs: uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: sarif_file: results.sarif +