-
Notifications
You must be signed in to change notification settings - Fork 70
/
scorecards.yml
74 lines (68 loc) · 2.76 KB
/
scorecards.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
# Weekly on Saturdays.
- cron: '30 1 * * 6'
push:
branches: [ $default-branch ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
steps:
- name: "Checkout code"
uses: actions/checkout@v1
- name: "Run analysis"
# TODO: update with a hash once we have a release.
uses: ossf/scorecard-action@feat/rempol
with:
results_file: results.sarif
results_format: sarif
# For the token,
# 1. Create a PAT token at https://github.com/settings/tokens/new
# with the following read permissions:
# - Note: OSSF Scorecard read-only token
# - Expiration: No expiration
# - Scopes:
# * repo > public_repo
# * admin:org > read:org
# * admin:repo_hook > read:repo_hook
# * write:discussion > read:discussion
#
# Create and copy the token.
#
# 2. Create a new repository secret at https://github.com/<org>/<repo>/settings/secrets/actions
# with the following settings:
# - Name: SCORECARD_TOKEN
# - Value: the value of the token created in step 1 above.
repo_token: ${{ secrets.SCORECARD_TOKEN }}
# The Scorecard team runs a weekly scan of public GitHub repositories in order to track
# the overall security health of the open source ecosystem.
# Setting `publish_results: true` replaces the results of the team's weelky scans,
# helping us scale by cutting down on repeated workflows and GitHub API requests.
# This option is needed to enable badges on the repo.
publish_results: true
# Upload the results as artifacts.
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
# This is optional.
- name: "Upload artifact"
# Note: scorecard will flag this line if not pinned by hash.
uses: actions/upload-artifact@v2
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
# This is required to visualize the results on GitHub website.
- name: "Upload to code-scanning"
# Note: scorecard will flag this line if not pinned by hash.
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif