Skip to content

ci: add OpenSSF Scorecard analysis and badge#89

Merged
Reefact merged 1 commit into
mainfrom
claude/ci-scorecard
Jul 10, 2026
Merged

ci: add OpenSSF Scorecard analysis and badge#89
Reefact merged 1 commit into
mainfrom
claude/ci-scorecard

Conversation

@Reefact

@Reefact Reefact commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

Add an OpenSSF Scorecard workflow that scores the repository's security posture (pinned actions, token permissions, branch protection, signed releases, dependency-update tooling, and more), uploads the findings to the code-scanning dashboard, and publishes the score to securityscorecards.dev to power a README badge.

Type of change

  • Build / CI / tooling

Changes

  • Add .github/workflows/scorecard.yml running ossf/scorecard-action (SHA-pinned):
    • triggers on branch_protection_rule, a weekly schedule, and push to main — it scores the repository, not a PR diff, so there is no pull_request trigger;
    • permissions: read-all at the top level; the single analysis job widens only security-events: write (SARIF upload to code-scanning) and id-token: write (publish to the public OpenSSF API);
    • timeout-minutes: 15 and a concurrency group that cancels superseded runs on the same ref;
    • credential-free checkout (persist-credentials: false);
    • publish_results: true so the score is published to securityscorecards.dev and the badge renders;
    • uploads the SARIF both as a build artifact and to the code-scanning dashboard.
  • Add the OpenSSF Scorecard badge to README.md and doc/README.fr.md.

Testing

  • dotnet build FirstClassErrors.sln
  • dotnet test FirstClassErrors.sln
  • Analyzer tests pass (FirstClassErrors.Analyzers.UnitTests)

Not applicable — this PR only adds a GitHub Actions workflow and two README badge lines; no source is touched. The workflow YAML was validated locally and every action is SHA-pinned. The workflow itself runs only on push to main / schedule / branch_protection_rule, so it is not exercised by this PR's checks; the badge shows "no data" until the first run on main publishes a score.

Documentation

  • README / doc/ updated
  • French translation (doc/README.fr.md) updated if user-facing behavior changed

Generated by Claude Code

Add a Scorecard workflow that scores the repository's security posture
(pinned actions, token permissions, branch protection, signed releases,
dependency-update tooling, ...) and uploads the findings to the code-scanning
dashboard. It runs on the default branch only (branch_protection_rule +
weekly schedule + push to main) — it assesses the repository, not a PR diff,
so there is no pull_request trigger. All actions are SHA-pinned and the job
carries a timeout, matching the rest of the workflows.

publish_results is true, so the score is published to securityscorecards.dev
(transparency) and surfaced as a badge in README.md and doc/README.fr.md (kept
in sync). The public-repo permission set is used (job: security-events: write
+ id-token: write; contents/actions reads only needed on a private repo).

The badge renders "no data" until the first push-to-main run publishes results,
then populates on its own.
@Reefact Reefact merged commit 9b31614 into main Jul 10, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants