Skip to content

chore: add OpenSSF readiness baseline#502

Closed
seonghobae wants to merge 3 commits into
developfrom
codex/ossf-bestpractices-baseline
Closed

chore: add OpenSSF readiness baseline#502
seonghobae wants to merge 3 commits into
developfrom
codex/ossf-bestpractices-baseline

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

Summary

  • add missing OpenSSF Scorecard workflow/security/dependency metadata where needed
  • enable repository-level OSSF Best Practices prerequisites without changing product code
  • keep existing source code and CI implementation unchanged

Notes

This PR is part of the ContextualWisdomLab non-fork repository OpenSSF readiness sweep. Public repositories will be registered on bestpractices.dev after the baseline metadata is available on the default branch.

@seonghobae seonghobae enabled auto-merge June 29, 2026 14:33
Copilot AI review requested due to automatic review settings July 2, 2026 06:14
@seonghobae

Copy link
Copy Markdown
Collaborator Author

Closing this as superseded rather than merging a duplicate Scorecard workflow. The current branch now fails the repo supply-chain gate because .github/workflows/scorecard-analysis.yml checkout lacks the required step-level GIT_CONFIG_* init.defaultBranch guard, and the repository already has the hardened .github/workflows/ossf-scorecard.yml path. The OpenSSF Best Practices gap remains tracked in PR #524 and requires updating project 13428 on bestpractices.dev, not this duplicate workflow.

@seonghobae seonghobae closed this Jul 2, 2026
auto-merge was automatically disabled July 2, 2026 06:21

Pull request was closed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an OpenSSF Scorecard GitHub Actions workflow intended to support repository “readiness baseline” metadata without modifying product/runtime code.

Changes:

  • Introduces a new .github/workflows/scorecard-analysis.yml workflow to run ossf/scorecard-action on develop pushes and a weekly schedule.
  • Publishes Scorecard results and attempts to upload SARIF output to GitHub Code Scanning.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +23 to +26
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
Comment on lines +31 to +33
results_file: results.sarif
results_format: sarif
publish_results: true
Comment on lines +35 to +38
- name: Upload to code scanning
uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
with:
sarif_file: results.sarif
Comment on lines +15 to +21
permissions:
security-events: write
id-token: write
contents: read
issues: read
pull-requests: read
checks: read
@opencode-agent

opencode-agent Bot commented Jul 2, 2026

Copy link
Copy Markdown

OpenCode Review Overview

  • Head SHA: 43cf636260ac87b175681039fa185c090edb3497
  • Workflow run: 28569594157
  • Workflow attempt: 1
  • Gate result: APPROVE (exit 0)

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow: scorecard-analysis.yml"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow: scorecard-analysis.yml"]
  R1 --> V1["actionlint plus required checks"]
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants