From 4d9d8973313c07e22984622e6bbc1947d2ba7785 Mon Sep 17 00:00:00 2001 From: Aaron Siddhartha Mondal Date: Fri, 15 Dec 2023 14:21:51 +0100 Subject: [PATCH] Add OpenSSF scorecard action (#486) Ensure that we follow security best practices. --- .github/workflows/scorecard.yaml | 47 ++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/scorecard.yaml diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml new file mode 100644 index 000000000..ec89190a1 --- /dev/null +++ b/.github/workflows/scorecard.yaml @@ -0,0 +1,47 @@ +--- +name: Scorecard supply-chain security +on: + schedule: + # Non-peak hour 23:15 on Tuesdays. + - cron: '15 23 * * 1' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-22.04 + permissions: + security-events: write + id-token: write + + steps: + - name: Checkout + uses: >- # v4.1.1 + actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + persist-credentials: false + + - name: Run analysis + uses: >- # v2.3.1 + ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload artifact + uses: >- # v4.0.0 + actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: >- # v3.22.11 + github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c + with: + sarif_file: results.sarif