ci: add OpenSSF Scorecard analysis and badge#89
Merged
Conversation
Add a Scorecard workflow that scores the repository's security posture (pinned actions, token permissions, branch protection, signed releases, dependency-update tooling, ...) and uploads the findings to the code-scanning dashboard. It runs on the default branch only (branch_protection_rule + weekly schedule + push to main) — it assesses the repository, not a PR diff, so there is no pull_request trigger. All actions are SHA-pinned and the job carries a timeout, matching the rest of the workflows. publish_results is true, so the score is published to securityscorecards.dev (transparency) and surfaced as a badge in README.md and doc/README.fr.md (kept in sync). The public-repo permission set is used (job: security-events: write + id-token: write; contents/actions reads only needed on a private repo). The badge renders "no data" until the first push-to-main run publishes results, then populates on its own.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add an OpenSSF Scorecard workflow that scores the repository's security posture (pinned actions, token permissions, branch protection, signed releases, dependency-update tooling, and more), uploads the findings to the code-scanning dashboard, and publishes the score to securityscorecards.dev to power a README badge.
Type of change
Changes
.github/workflows/scorecard.ymlrunningossf/scorecard-action(SHA-pinned):branch_protection_rule, a weeklyschedule, andpushtomain— it scores the repository, not a PR diff, so there is nopull_requesttrigger;permissions: read-allat the top level; the singleanalysisjob widens onlysecurity-events: write(SARIF upload to code-scanning) andid-token: write(publish to the public OpenSSF API);timeout-minutes: 15and aconcurrencygroup that cancels superseded runs on the same ref;persist-credentials: false);publish_results: trueso the score is published to securityscorecards.dev and the badge renders;README.mdanddoc/README.fr.md.Testing
dotnet build FirstClassErrors.slndotnet test FirstClassErrors.slnFirstClassErrors.Analyzers.UnitTests)Not applicable — this PR only adds a GitHub Actions workflow and two README badge lines; no source is touched. The workflow YAML was validated locally and every action is SHA-pinned. The workflow itself runs only on
pushtomain/schedule/branch_protection_rule, so it is not exercised by this PR's checks; the badge shows "no data" until the first run onmainpublishes a score.Documentation
doc/updateddoc/README.fr.md) updated if user-facing behavior changedGenerated by Claude Code