| 1 | name: Scorecards supply-chain security |
| 2 | on: |
| 3 | # Only the default branch is supported. |
| 4 | branch_protection_rule: |
| 5 | schedule: |
| 6 | - cron: '22 21 * * 2' |
| 7 | push: |
| 8 | # TODO: Add release branch when supported? |
| 9 | branches: [ "dev" ] |
| 10 | |
| 11 | # Declare default permissions as read only. |
| 12 | permissions: read-all |
| 13 | |
| 14 | jobs: |
| 15 | analysis: |
| 16 | name: Scorecards analysis |
| 17 | if: github.repository == 'facebook/zstd' |
| 18 | runs-on: ubuntu-latest |
| 19 | permissions: |
| 20 | # Needed to upload the results to code-scanning dashboard. |
| 21 | security-events: write |
| 22 | # Used to receive a badge. |
| 23 | id-token: write |
| 24 | # Needs for private repositories. |
| 25 | contents: read |
| 26 | actions: read |
| 27 | |
| 28 | steps: |
| 29 | - name: "Checkout code" |
| 30 | uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag=v3 |
| 31 | with: |
| 32 | persist-credentials: false |
| 33 | |
| 34 | - name: "Run analysis" |
| 35 | uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # tag=v2.1.2 |
| 36 | with: |
| 37 | results_file: results.sarif |
| 38 | results_format: sarif |
| 39 | # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: |
| 40 | # - you want to enable the Branch-Protection check on a *public* repository, or |
| 41 | # - you are installing Scorecards on a *private* repository |
| 42 | # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. |
| 43 | # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} |
| 44 | |
| 45 | # Publish the results for public repositories to enable scorecard badges. For more details, see |
| 46 | # https://github.com/ossf/scorecard-action#publishing-results. |
| 47 | # For private repositories, `publish_results` will automatically be set to `false`, regardless |
| 48 | # of the value entered here. |
| 49 | publish_results: true |
| 50 | |
| 51 | # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF |
| 52 | # format to the repository Actions tab. |
| 53 | - name: "Upload artifact" |
| 54 | uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # tag=v3.1.2 |
| 55 | with: |
| 56 | name: SARIF file |
| 57 | path: results.sarif |
| 58 | retention-days: 5 |
| 59 | |
| 60 | # Upload the results to GitHub's code scanning dashboard. |
| 61 | - name: "Upload to code-scanning" |
| 62 | uses: github/codeql-action/upload-sarif@67a35a08586135a9573f4327e904ecbf517a882d # tag=v2.2.8 |
| 63 | with: |
| 64 | sarif_file: results.sarif |