fmt-11.0.2/.github/workflows/scorecard.yml

   1 # This workflow uses actions that are not certified by GitHub. They are provided
   2 # by a third-party and are governed by separate terms of service, privacy
   3 # policy, and support documentation.
   4
   5 name: Scorecard supply-chain security
   6 on:
   7   # For Branch-Protection check. Only the default branch is supported. See
   8   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   9   branch_protection_rule:
  10   # To guarantee Maintained check is occasionally updated. See
  11   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  12   schedule:
  13     - cron: '26 14 * * 5'
  14   push:
  15     branches: [ "master" ]
  16
  17 # Declare default permissions as read only.
  18 permissions: read-all
  19
  20 jobs:
  21   analysis:
  22     name: Scorecard analysis
  23     runs-on: ubuntu-latest
  24     permissions:
  25       # Needed to upload the results to code-scanning dashboard.
  26       security-events: write
  27       # Needed to publish results and get a badge (see publish_results below).
  28       id-token: write
  29
  30     steps:
  31       - name: "Checkout code"
  32         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
  33         with:
  34           persist-credentials: false
  35
  36       - name: "Run analysis"
  37         uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
  38         with:
  39           results_file: results.sarif
  40           results_format: sarif
  41           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
  42           # - you want to enable the Branch-Protection check on a *public* repository, or
  43           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
  44           # repo_token: ${{ secrets.SCORECARD_TOKEN }}
  45
  46           # Public repositories:
  47           #   - Publish results to OpenSSF REST API for easy access by consumers
  48           #   - Allows the repository to include the Scorecard badge.
  49           #   - See https://github.com/ossf/scorecard-action#publishing-results.
  50           publish_results: true
  51
  52       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  53       # format to the repository Actions tab.
  54       - name: "Upload artifact"
  55         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
  56         with:
  57           name: SARIF file
  58           path: results.sarif
  59           retention-days: 5
  60
  61       # Upload the results to GitHub's code scanning dashboard.
  62       - name: "Upload to code-scanning"
  63         uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
  64         with:
  65           sarif_file: results.sarif