deps/libchdr/deps/zstd-1.5.5/.github/workflows/scorecards.yml

   1 name: Scorecards supply-chain security
   2 on:
   3   # Only the default branch is supported.
   4   branch_protection_rule:
   5   schedule:
   6     - cron: '22 21 * * 2'
   7   push:
   8     # TODO: Add release branch when supported?
   9     branches: [ "dev" ]
  10
  11 # Declare default permissions as read only.
  12 permissions: read-all
  13
  14 jobs:
  15   analysis:
  16     name: Scorecards analysis
  17     if: github.repository == 'facebook/zstd'
  18     runs-on: ubuntu-latest
  19     permissions:
  20       # Needed to upload the results to code-scanning dashboard.
  21       security-events: write
  22       # Used to receive a badge.
  23       id-token: write
  24       # Needs for private repositories.
  25       contents: read
  26       actions: read
  27
  28     steps:
  29       - name: "Checkout code"
  30         uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag=v3
  31         with:
  32           persist-credentials: false
  33
  34       - name: "Run analysis"
  35         uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # tag=v2.1.2
  36         with:
  37           results_file: results.sarif
  38           results_format: sarif
  39           # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
  40           # - you want to enable the Branch-Protection check on a *public* repository, or
  41           # - you are installing Scorecards on a *private* repository
  42           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
  43           # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
  44
  45           # Publish the results for public repositories to enable scorecard badges. For more details, see
  46           # https://github.com/ossf/scorecard-action#publishing-results.
  47           # For private repositories, `publish_results` will automatically be set to `false`, regardless
  48           # of the value entered here.
  49           publish_results: true
  50
  51       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  52       # format to the repository Actions tab.
  53       - name: "Upload artifact"
  54         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # tag=v3.1.2
  55         with:
  56           name: SARIF file
  57           path: results.sarif
  58           retention-days: 5
  59
  60       # Upload the results to GitHub's code scanning dashboard.
  61       - name: "Upload to code-scanning"
  62         uses: github/codeql-action/upload-sarif@67a35a08586135a9573f4327e904ecbf517a882d # tag=v2.2.8
  63         with:
  64           sarif_file: results.sarif