Scorecard supply-chain security #1519
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This GitHub Actions workflow is designed to perform a Scorecard supply-chain security analysis on the repository. | |
| # It triggers on branch protection rule changes, scheduled cron jobs, and pushes to the main branch. | |
| # The workflow uses various third-party actions to harden the runner, checkout code, run the Scorecard analysis, | |
| # and upload the results as artifacts and to GitHub's code scanning dashboard. | |
| # | |
| # Workflow name: Scorecard supply-chain security | |
| # | |
| # Triggers: | |
| # - branch_protection_rule: Triggered by changes to branch protection rules. | |
| # - schedule: Runs every Tuesday at 07:20 UTC. | |
| # - push: Triggered by pushes to the main branch. | |
| # | |
| # Permissions: | |
| # - Default permissions are set to read-only. | |
| # - Specific permissions are granted for security events, id-token, contents, actions, issues, pull-requests, and checks. | |
| # | |
| # Jobs: | |
| # - analysis: Runs the Scorecard analysis on an Ubuntu runner. | |
| # - Steps: | |
| # - Harden Runner: Uses step-security/harden-runner to harden the runner with an egress policy set to audit. | |
| # - Checkout code: Uses actions/checkout to checkout the repository code. | |
| # - Run analysis: Uses ossf/scorecard-action to perform the Scorecard analysis and optionally publish results. | |
| # - Upload artifact: Uses actions/upload-artifact to upload the results as artifacts. | |
| # - Upload to code-scanning: Uses github/codeql-action/upload-sarif to upload the results to GitHub's code scanning dashboard. | |
| # This workflow uses actions that are not certified by GitHub. They are provided | |
| # by a third-party and are governed by separate terms of service, privacy | |
| # policy, and support documentation. | |
| name: Scorecard supply-chain security | |
| on: | |
| # For Branch-Protection check. Only the default branch is supported. See | |
| # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | |
| branch_protection_rule: | |
| # To guarantee Maintained check is occasionally updated. See | |
| # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | |
| schedule: | |
| - cron: "20 7 * * 2" | |
| push: | |
| branches: ["main"] | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| concurrency: | |
| group: scorecard-${{ github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| analysis: | |
| name: Scorecard analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Needed to upload the results to code-scanning dashboard. | |
| security-events: write | |
| # Needed to publish results and get a badge (see publish_results below). | |
| id-token: write | |
| contents: read | |
| actions: read | |
| # To allow GraphQL ListCommits to work | |
| issues: read | |
| pull-requests: read | |
| # To detect SAST tools | |
| checks: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout code" | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: "Run analysis" | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: | |
| # - you want to enable the Branch-Protection check on a *public* repository, or | |
| # - you are installing Scorecards on a *private* repository | |
| # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| # Public repositories: | |
| # - Publish results to OpenSSF REST API for easy access by consumers | |
| # - Allows the repository to include the Scorecard badge. | |
| # - See https://github.com/ossf/scorecard-action#publishing-results. | |
| # For private repositories: | |
| # - `publish_results` will always be set to `false`, regardless | |
| # of the value entered here. | |
| publish_results: true | |
| # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | |
| # format to the repository Actions tab. | |
| - name: "Upload artifact" | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| retention-days: 5 | |
| # Upload the results to GitHub's code scanning dashboard. | |
| - name: "Upload to code-scanning" | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v2.27.0 | |
| with: | |
| sarif_file: results.sarif |