Scorecards supply-chain security #155

	---
	# Copyright 2016-present Thomas Leplus
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	name: Scorecards supply-chain security
	on:
	push:
	branches:
	- main
	- "releases/**"
	schedule:
	- cron: "0 0 * * 0"
	workflow_dispatch:

	permissions: read-all

	jobs:
	analysis:
	name: Scorecards analysis
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	id-token: write
	steps:
	- name: "Checkout code"
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: "Run analysis"
	uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: true
	- name: "Upload artifact"
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 5
	- name: "Upload to code-scanning"
	uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
	with:
	sarif_file: results.sarif

Provide feedback