Scorecard supply-chain security #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: scorecard | |
| # Triggers: | |
| # - workflow_run on completed 'release' runs → scan fresh release assets | |
| # - weekly schedule (Mondays, 06:00 UTC) → backstop against drift | |
| # - branch_protection_rule changes → re-score when policy moves | |
| # - manual workflow_dispatch → on-demand | |
| # Not on every main push — most commits don't change release/scorecard-visible | |
| # state, so we were burning runner time publishing stale results. | |
| on: | |
| workflow_run: | |
| workflows: [release] | |
| types: [completed] | |
| branch_protection_rule: | |
| schedule: | |
| - cron: '0 6 * * 1' | |
| workflow_dispatch: | |
| permissions: read-all | |
| jobs: | |
| analysis: | |
| name: scorecard analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: run scorecard | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - name: upload artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| with: | |
| name: scorecard-results | |
| path: results.sarif | |
| retention-days: 5 | |
| - name: upload sarif to code scanning | |
| uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 | |
| with: | |
| sarif_file: results.sarif |