1# This workflow uses actions that are not certified by GitHub. They are provided
2# by a third-party and are governed by separate terms of service, privacy
3# policy, and support documentation.
4
5name: Scorecards supply-chain security
6on:
7  # For Branch-Protection check. Only the default branch is supported. See
8  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
9  branch_protection_rule:
10  # To guarantee Maintained check is occasionally updated. See
11  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
12  schedule:
13    - cron: '43 7 * * 6'
14  push:
15    branches:
16      - main
17
18permissions: read-all
19
20jobs:
21  analysis:
22    name: Scorecard analysis
23    runs-on: ubuntu-latest
24    permissions:
25      # Needed for Code scanning upload
26      security-events: write
27      # Needed for GitHub OIDC token if publish_results is true
28      id-token: write
29
30    steps:
31      - name: "Checkout code"
32        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
33        with:
34          persist-credentials: false
35
36      - name: "Run analysis"
37        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
38        with:
39          results_file: results.sarif
40          results_format: sarif
41          # Publish results to OpenSSF REST API for easy access by consumers.
42          # - Allows the repository to include the Scorecard badge.
43          # - See https://github.com/ossf/scorecard-action#publishing-results.
44          publish_results: true
45
46      # Upload the results as artifacts (optional). Commenting out will disable
47      # uploads of run results in SARIF format to the repository Actions tab.
48      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
49      - name: "Upload artifact"
50        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
51        with:
52          name: SARIF file
53          path: results.sarif
54          retention-days: 5
55
56      # Upload the results to GitHub's code scanning dashboard (optional).
57      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
58      - name: "Upload to code-scanning"
59        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
60        with:
61          sarif_file: results.sarif
62