ci: add OSSF Scorecard workflow#15
Conversation
Publishes weekly scorecard results to scorecard.dev, populating the OpenSSF Score badge in README. Actions pinned by SHA per scorecard's own recommendation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughA new GitHub Actions workflow is created to execute OSSF Scorecard security analysis on the repository. The workflow generates SARIF output, uploads results to GitHub Code Scanning for tracking, and stores scorecard results as a temporary artifact. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/scorecard.yml (1)
35-45: Consider adding conditional execution for upload steps.The artifact and SARIF upload steps will fail if the scorecard step doesn't produce
results.sarif. Consider addingif: always()orif: success() || failure()to these steps if you want diagnostics even when scorecard fails, or keep the current behavior if you prefer fail-fast.📝 Optional: Add conditional execution
If you want uploads to run even if scorecard encounters issues:
- name: upload artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if: always() with: name: scorecard-results path: results.sarif retention-days: 5 - name: upload sarif to code scanning uses: github/codeql-action/upload-sarif@865f5f5c36632f18690a3d569fa0a764f2da0c3e # v3 + if: always() with: sarif_file: results.sarif🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/scorecard.yml around lines 35 - 45, The upload steps "upload artifact" and "upload sarif to code scanning" should be made conditional so they don't fail when scorecard doesn't produce results.sarif; update each step (the ones with name: upload artifact and name: upload sarif to code scanning) to include an if: conditional such as if: always() or if: success() || failure() depending on whether you want uploads to run on all outcomes or only non-canceled runs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/scorecard.yml:
- Around line 35-45: The upload steps "upload artifact" and "upload sarif to
code scanning" should be made conditional so they don't fail when scorecard
doesn't produce results.sarif; update each step (the ones with name: upload
artifact and name: upload sarif to code scanning) to include an if: conditional
such as if: always() or if: success() || failure() depending on whether you want
uploads to run on all outcomes or only non-canceled runs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 2926841c-c453-49b3-8efd-a36303c933a7
📒 Files selected for processing (1)
.github/workflows/scorecard.yml
Summary
.github/workflows/scorecard.ymlrunning weekly + on push to mainTest plan
Summary by CodeRabbit