chore: add OpenSSF readiness baseline#502
Conversation
|
Closing this as superseded rather than merging a duplicate Scorecard workflow. The current branch now fails the repo supply-chain gate because .github/workflows/scorecard-analysis.yml checkout lacks the required step-level GIT_CONFIG_* init.defaultBranch guard, and the repository already has the hardened .github/workflows/ossf-scorecard.yml path. The OpenSSF Best Practices gap remains tracked in PR #524 and requires updating project 13428 on bestpractices.dev, not this duplicate workflow. |
There was a problem hiding this comment.
Pull request overview
Adds an OpenSSF Scorecard GitHub Actions workflow intended to support repository “readiness baseline” metadata without modifying product/runtime code.
Changes:
- Introduces a new
.github/workflows/scorecard-analysis.ymlworkflow to runossf/scorecard-actionondeveloppushes and a weekly schedule. - Publishes Scorecard results and attempts to upload SARIF output to GitHub Code Scanning.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout code | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false |
| results_file: results.sarif | ||
| results_format: sarif | ||
| publish_results: true |
| - name: Upload to code scanning | ||
| uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 | ||
| with: | ||
| sarif_file: results.sarif |
| permissions: | ||
| security-events: write | ||
| id-token: write | ||
| contents: read | ||
| issues: read | ||
| pull-requests: read | ||
| checks: read |
OpenCode Review Overview
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: scorecard-analysis.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: scorecard-analysis.yml"]
R1 --> V1["actionlint plus required checks"]
|
Summary
Notes
This PR is part of the ContextualWisdomLab non-fork repository OpenSSF readiness sweep. Public repositories will be registered on bestpractices.dev after the baseline metadata is available on the default branch.