Scorecard supply-chain security #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scorecard supply-chain security | |
| # ⚠️ API INTEGRITY RULES (enforced when publish_results: true): | |
| # - NO top-level `env:` or `defaults:` blocks in this file | |
| # - NO workflow-level write permissions | |
| # - ONLY this job may use id-token: write | |
| # Violating any of these causes the publish step to be REJECTED by api.scorecard.dev | |
| on: | |
| branch_protection_rule: | |
| schedule: | |
| - cron: '23 8 * * 6' | |
| push: | |
| # Branch-Protection check ONLY works on the default branch(Must match your actual default branch). | |
| branches: ["dev"] | |
| workflow_dispatch: | |
| permissions: read-all | |
| jobs: | |
| analysis: | |
| name: Scorecard analysis | |
| runs-on: ubuntu-latest | |
| if: | | |
| !github.event.repository.fork && | |
| (github.event.repository.default_branch == github.ref_name || | |
| github.event_name == 'workflow_dispatch' || | |
| github.event_name == 'pull_request') | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| actions: read | |
| # Uncomment for PRIVATE repositories. | |
| # contents: read | |
| steps: | |
| - name: "Harden Runner" | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| disable-sudo-and-containers: false | |
| # MAINTAINER CHOICE: Use "audit" first to discover needed endpoints, | |
| # then switch to "block" once confirmed stable. | |
| egress-policy: block | |
| # MAINTAINER CHOICE: Add project-specific endpoints if your stack | |
| # needs private registries, package mirrors, etc. | |
| allowed-endpoints: > | |
| github.com:443 | |
| api.github.com:443 | |
| index.docker.io:443 | |
| www.bestpractices.dev:443 | |
| oss-fuzz-build-logs.storage.googleapis.com:443 | |
| api.osv.dev:443 | |
| api.deps.dev:443 | |
| fulcio.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| auth.docker.io:443 | |
| api.scorecard.dev:443 | |
| - name: "Checkout code" | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: "Run analysis" | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| # MAINTAINER CHOICE: Uncomment + add secret if: | |
| # - PUBLIC repo wanting Branch-Protection check, OR | |
| # - PRIVATE repo (needs full `repo` scope, not just `public_repo`) | |
| # PAT scopes needed: public_repo (public) OR repo (private) | |
| # If org uses SAML SSO, also enable SSO on this PAT. | |
| # repo_token: ${{ secrets.SCORECARD_TOKEN }} | |
| # MAINTAINER CHOICE: true = enables badge + publishes to api.scorecard.dev | |
| # After first run, add this badge to your README.md: | |
| # [](https://scorecard.dev/viewer/?uri=github.com/{owner}/{repo}) | |
| publish_results: true | |
| # MAINTAINER CHOICE: "archive" (default) is faster. | |
| # Switch to "git" only if your repo uses .gitattributes export-ignore | |
| # directives that cause files to be excluded from the archive download. | |
| # file_mode: archive | |
| - name: "Upload artifact" | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| retention-days: 5 | |
| - name: "Upload to code-scanning" | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: results.sarif |