Scorecard supply-chain security #8

	name: 'Scorecard supply-chain security'

	on:
	branch_protection_rule: {}
	schedule:
	- cron: '0 5 * * 5'
	workflow_dispatch: {}

	permissions: 'read-all'

	jobs:
	analysis:
	name: 'Scorecard analysis'
	runs-on: 'ubuntu-latest'
	permissions:
	security-events: 'write'
	id-token: 'write'

	steps:
	- name: 'Harden Runner'
	uses: 'step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df' # v2.18.0
	with:
	egress-policy: 'audit'

	- name: 'Checkout code'
	uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
	with:
	persist-credentials: false

	- name: 'Run analysis'
	uses: 'ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a' # v2.4.3
	with:
	results_file: 'results.sarif'
	results_format: 'sarif'
	publish_results: true

	- name: 'Upload artifact'
	uses: 'actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a' # v7.0.1
	with:
	name: 'SARIF file'
	path: 'results.sarif'
	retention-days: 5

	- name: 'Upload to code-scanning'
	uses: 'github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225' # v4
	with:
	sarif_file: 'results.sarif'

Provide feedback