648db22b |
1 | name: Scorecards supply-chain security |
2 | on: |
3 | # Only the default branch is supported. |
4 | branch_protection_rule: |
5 | schedule: |
6 | - cron: '22 21 * * 2' |
7 | push: |
8 | # TODO: Add release branch when supported? |
9 | branches: [ "dev" ] |
10 | |
11 | # Declare default permissions as read only. |
12 | permissions: read-all |
13 | |
14 | jobs: |
15 | analysis: |
16 | name: Scorecards analysis |
17 | if: github.repository == 'facebook/zstd' |
18 | runs-on: ubuntu-latest |
19 | permissions: |
20 | # Needed to upload the results to code-scanning dashboard. |
21 | security-events: write |
22 | # Used to receive a badge. |
23 | id-token: write |
24 | # Needs for private repositories. |
25 | contents: read |
26 | actions: read |
27 | |
28 | steps: |
29 | - name: "Checkout code" |
f535537f |
30 | uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3 |
648db22b |
31 | with: |
32 | persist-credentials: false |
33 | |
34 | - name: "Run analysis" |
f535537f |
35 | uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1 |
648db22b |
36 | with: |
37 | results_file: results.sarif |
38 | results_format: sarif |
39 | # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: |
40 | # - you want to enable the Branch-Protection check on a *public* repository, or |
41 | # - you are installing Scorecards on a *private* repository |
42 | # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. |
43 | # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} |
44 | |
45 | # Publish the results for public repositories to enable scorecard badges. For more details, see |
46 | # https://github.com/ossf/scorecard-action#publishing-results. |
47 | # For private repositories, `publish_results` will automatically be set to `false`, regardless |
48 | # of the value entered here. |
49 | publish_results: true |
50 | |
51 | # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF |
52 | # format to the repository Actions tab. |
53 | - name: "Upload artifact" |
f535537f |
54 | uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1 |
648db22b |
55 | with: |
56 | name: SARIF file |
57 | path: results.sarif |
58 | retention-days: 5 |
59 | |
60 | # Upload the results to GitHub's code scanning dashboard. |
61 | - name: "Upload to code-scanning" |
f535537f |
62 | uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # tag=v3.24.7 |
648db22b |
63 | with: |
64 | sarif_file: results.sarif |