sandbox/.github/workflows/ossf-scorecard.yml

# SPDX-FileCopyrightText: (C) 2024 Hong Yongmin (https://revi.xyz/) <yewon@revi.email>
#
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
---
name: Scorecard supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '40 23 * * 4'
  push:
    branches: 'master'

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Needed to publish results and get a badge (see publish_results below).
      id-token: write
      # Uncomment the permissions below if installing in a private repository.
      # contents: read
      # actions: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Run analysis
        uses: ossf/scorecard-action@v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
          # (Optional) "write" PAT token.
          # Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # - you are installing Scorecard on a *private* repository
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
          # repo_token: ${{ secrets.SCORECARD_TOKEN }}

          # Public repositories:
          #   - Publish results to OpenSSF REST API for easy access by consumers
          #   - Allows the repository to include the Scorecard badge.
          #   - See https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories:
          #   - `publish_results` will always be set to `false`, regardless
          #     of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional). Commenting out will disable
      # uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's
      # Code Scanning dashboard
      - name: Upload to code-scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
CI(GitHub Actions): Add ossf-scorecard action Summary: Ref [GitHub ossf/scorecard-action](https://github.com/ossf/scorecard-action). Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: Land and wait for result. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Tags: #github_actions Differential Revision: https://issuetracker.revi.xyz/D815 2024-10-23 10:23:29 +02:00			`# SPDX-FileCopyrightText: (C) 2024 Hong Yongmin (https://revi.xyz/) <yewon@revi.email>`
			`#`
			`# SPDX-License-Identifier: Apache-2.0`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`# This workflow uses actions that are not certified by GitHub. They are provided`
			`# by a third-party and are governed by separate terms of service, privacy`
			`# policy, and support documentation.`
			`---`
			`name: Scorecard supply-chain security`
			`on:`
			`# For Branch-Protection check. Only the default branch is supported. See`
			`# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection`
			`branch_protection_rule:`
			`# To guarantee Maintained check is occasionally updated. See`
			`# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained`
			`schedule:`
			`- cron: '40 23 * * 4'`
			`push:`
			`branches: 'master'`

			`# Declare default permissions as read only.`
			`permissions: read-all`

			`jobs:`
			`analysis:`
			`name: Scorecard analysis`
			`runs-on: ubuntu-latest`
			`permissions:`
			`# Needed to upload the results to code-scanning dashboard.`
			`security-events: write`
			`# Needed to publish results and get a badge (see publish_results below).`
			`id-token: write`
			`# Uncomment the permissions below if installing in a private repository.`
			`# contents: read`
			`# actions: read`

			`steps:`
			`- name: Checkout code`
			`uses: actions/checkout@v4`
			`with:`
			`persist-credentials: false`

			`- name: Run analysis`
			`uses: ossf/scorecard-action@v2.3.1`
			`with:`
			`results_file: results.sarif`
			`results_format: sarif`
			`# (Optional) "write" PAT token.`
			# Uncomment the `repo_token` line below if:
			`# - you want to enable the Branch-Protection check on a public repository, or`
			`# - you are installing Scorecard on a private repository`
			`# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.`
			`# repo_token: ${{ secrets.SCORECARD_TOKEN }}`

			`# Public repositories:`
			`# - Publish results to OpenSSF REST API for easy access by consumers`
			`# - Allows the repository to include the Scorecard badge.`
			`# - See https://github.com/ossf/scorecard-action#publishing-results.`
			`# For private repositories:`
			# - `publish_results` will always be set to `false`, regardless
			`# of the value entered here.`
			`publish_results: true`

			`# Upload the results as artifacts (optional). Commenting out will disable`
			`# uploads of run results in SARIF`
			`# format to the repository Actions tab.`
			`- name: Upload artifact`
			`uses: actions/upload-artifact@v4`
			`with:`
			`name: SARIF file`
			`path: results.sarif`
			`retention-days: 5`

			`# Upload the results to GitHub's code scanning dashboard (optional).`
			`# Commenting out will disable upload of results to your repo's`
			`# Code Scanning dashboard`
			`- name: Upload to code-scanning`
			`uses: github/codeql-action/upload-sarif@v3`
			`with:`
			`sarif_file: results.sarif`