1#
2#  Copyright (c) 2022, The OpenThread Authors.
3#  All rights reserved.
4#
5#  Redistribution and use in source and binary forms, with or without
6#  modification, are permitted provided that the following conditions are met:
7#  1. Redistributions of source code must retain the above copyright
8#     notice, this list of conditions and the following disclaimer.
9#  2. Redistributions in binary form must reproduce the above copyright
10#     notice, this list of conditions and the following disclaimer in the
11#     documentation and/or other materials provided with the distribution.
12#  3. Neither the name of the copyright holder nor the
13#     names of its contributors may be used to endorse or promote products
14#     derived from this software without specific prior written permission.
15#
16#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26#  POSSIBILITY OF SUCH DAMAGE.
27#
28
29# This workflow uses actions that are not certified by GitHub. They are provided
30# by a third-party and are governed by separate terms of service, privacy
31# policy, and support documentation.
32
33name: Scorecards supply-chain security
34on:
35  # For Branch-Protection check. Only the default branch is supported. See
36  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
37  branch_protection_rule:
38  # To guarantee Maintained check is occasionally updated. See
39  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
40  schedule:
41    - cron: '33 12 * * 0'
42  push:
43    branches: [ "main" ]
44
45# Declare default permissions as read only.
46permissions: read-all
47
48jobs:
49  analysis:
50    name: Scorecards analysis
51    runs-on: ubuntu-latest
52    permissions:
53      # Needed to upload the results to code-scanning dashboard.
54      security-events: write
55      # Needed to publish results and get a badge (see publish_results below).
56      id-token: write
57      # Uncomment the permissions below if installing in a private repository.
58      # contents: read
59      # actions: read
60
61    steps:
62      - name: "Checkout code"
63        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
64        with:
65          persist-credentials: false
66
67      - name: "Run analysis"
68        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
69        with:
70          results_file: results.sarif
71          results_format: sarif
72          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
73          # - you want to enable the Branch-Protection check on a *public* repository, or
74          # - you are installing Scorecards on a *private* repository
75          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
76          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
77
78          # Public repositories:
79          #   - Publish results to OpenSSF REST API for easy access by consumers
80          #   - Allows the repository to include the Scorecard badge.
81          #   - See https://github.com/ossf/scorecard-action#publishing-results.
82          # For private repositories:
83          #   - `publish_results` will always be set to `false`, regardless
84          #     of the value entered here.
85          publish_results: true
86
87      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
88      # format to the repository Actions tab.
89      - name: "Upload artifact"
90        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v3.1.0
91        with:
92          name: SARIF file
93          path: results.sarif
94          retention-days: 5
95
96      # Upload the results to GitHub's code scanning dashboard.
97      - name: "Upload to code-scanning"
98        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v2.1.27
99        with:
100          sarif_file: results.sarif
101