mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-09 22:57:11 +00:00
fix(ci): use the latest openssf scorecard action (#503)
* fix(ci): use the latest openssf scorecard action * fix(ci): replace scorecard workflow with upstream reference Replace our custom scorecard workflow with the official ossf/scorecard workflow template for better alignment with upstream recommendations.
This commit is contained in:
GitHub
43
.github/workflows/scorecard.yml
vendored
43
.github/workflows/scorecard.yml
vendored
@@ -1,37 +1,58 @@
|
|||||||
---
|
---
|
||||||
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
||||||
name: OpenSSF Scorecard
|
name: Scorecard analysis workflow
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: [main]
|
# Only the default branch is supported.
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 2 * * 0' # Weekly Sunday 2AM UTC
|
# Weekly on Saturdays.
|
||||||
|
- cron: '30 1 * * 6'
|
||||||
|
|
||||||
permissions: {}
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
analysis:
|
analysis:
|
||||||
|
name: Scorecard analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
|
# Needed for Code scanning upload
|
||||||
security-events: write
|
security-events: write
|
||||||
|
# Needed for GitHub OIDC token if publish_results is true
|
||||||
id-token: write
|
id-token: write
|
||||||
contents: read
|
|
||||||
actions: read
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
- name: 'Checkout code'
|
||||||
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||||
with:
|
with:
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
- uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3
|
|
||||||
|
- name: 'Run analysis'
|
||||||
|
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
|
||||||
with:
|
with:
|
||||||
results_file: results.sarif
|
results_file: results.sarif
|
||||||
results_format: sarif
|
results_format: sarif
|
||||||
|
# Scorecard team runs a weekly scan of public GitHub repos,
|
||||||
|
# see https://github.com/ossf/scorecard#public-data.
|
||||||
|
# Setting `publish_results: true` helps us scale by leveraging your workflow to
|
||||||
|
# extract the results instead of relying on our own infrastructure to run scans.
|
||||||
|
# And it's free for you!
|
||||||
publish_results: true
|
publish_results: true
|
||||||
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
||||||
|
# Upload the results as artifacts (optional). Commenting out will disable
|
||||||
|
# uploads of run results in SARIF format to the repository Actions tab.
|
||||||
|
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
|
||||||
|
- name: 'Upload artifact'
|
||||||
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
||||||
with:
|
with:
|
||||||
name: SARIF file
|
name: SARIF file
|
||||||
path: results.sarif
|
path: results.sarif
|
||||||
retention-days: 5
|
retention-days: 5
|
||||||
- uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
|
|
||||||
|
# Upload the results to GitHub's code scanning dashboard (optional).
|
||||||
|
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
|
||||||
|
- name: 'Upload to code-scanning'
|
||||||
|
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
|
||||||
with:
|
with:
|
||||||
sarif_file: results.sarif
|
sarif_file: results.sarif
|
||||||
|
|||||||
Reference in New Issue
Block a user