ci: add OpenSSF Scorecard workflow#9
Conversation
Add weekly Scorecard analysis that grades the repository on security practices. Results published to scorecard.dev and uploaded to the Security tab as code scanning alerts.
📝 WalkthroughWalkthroughAdded a new GitHub Actions workflow for OpenSSF Scorecard that runs on pushes to Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/scorecard.yml:
- Around line 24-30: The pinned SHA for the Scorecard action in the "Run
Scorecard" step (uses:
ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a) is annotated as
v2.4.3 but does not match that tag; either replace the SHA with the correct
commit for v2.4.3 (99c09fe975337306107572b4fdf4db224cf8e2f2) or change the
inline version comment to reflect the actual version represented by the current
SHA so the comment and the pinned commit are consistent.
- Around line 36-41: Update the inline comment that annotates the pinned action
SHA for clarity: change the comment on the
actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 line from "#
v4" to "# v4.6.2" so the upload-artifact action version is explicitly
documented; keep the rest of the step (name: Upload artifact, with: name:
scorecard-results, path: results.sarif, retention-days: 5) unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 69ad1b04-7dff-4355-85e4-623f39373b52
📒 Files selected for processing (1)
.github/workflows/scorecard.yml
| - name: Run Scorecard | ||
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | ||
| with: | ||
| results_file: results.sarif | ||
| results_format: sarif | ||
| publish_results: true | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify ossf/scorecard-action SHA matches v2.4.3 tag
# Fetch the v2.4.3 tag from GitHub API
echo "Checking ossf/scorecard-action v2.4.3 tag..."
gh api repos/ossf/scorecard-action/git/ref/tags/v2.4.3 --jq '.object.sha' 2>/dev/null || echo "Tag v2.4.3 not found"
# Check what the pinned SHA points to
echo "Checking pinned SHA 4eaacf0543bb3f2c246792bd56e8cdeffafb205a..."
gh api repos/ossf/scorecard-action/commits/4eaacf0543bb3f2c246792bd56e8cdeffafb205a --jq '.sha' 2>/dev/null || echo "SHA not found"Repository: ZaparooProject/go-zapscript
Length of output: 438
🌐 Web query:
ossf/scorecard-action v2.4.3 release SHA commit
💡 Result:
ossf/scorecard-action v2.4.3 is tagged at commit 4eaacf0543bb3f2c246792bd56e8cdeffafb205a. [1], [2]
Sources: [1] (github.com) [2] (git.eigen.co.id)
Citations:
- 1: https://github.com/ossf/scorecard-action/releases/tag/v2.4.3
- 2: https://git.eigen.co.id/external/pg_stat_monitor/commit/906abb023fead26038484dd880116f28d926741c?utm_source=openai
🏁 Script executed:
#!/bin/bash
# Alternative approach: curl to public GitHub API
echo "Attempting to fetch v2.4.3 tag info via public API..."
curl -s "https://api.github.com/repos/ossf/scorecard-action/git/refs/tags/v2.4.3" | jq '.object.sha' 2>/dev/null || echo "Could not fetch via curl"
# Also try to get the tag object itself
echo "Checking if tag exists on GitHub..."
curl -s "https://api.github.com/repos/ossf/scorecard-action/releases/tags/v2.4.3" | jq '.target_commitish, .tag_name' 2>/dev/null || echo "Could not fetch release info"Repository: ZaparooProject/go-zapscript
Length of output: 219
Fix the version comment: the pinned SHA does not match v2.4.3.
The workflow pins SHA 4eaacf0543bb3f2c246792bd56e8cdeffafb205a but labels it as v2.4.3. GitHub API confirms that v2.4.3 is actually tagged at SHA 99c09fe975337306107572b4fdf4db224cf8e2f2. Either update the pinned SHA to the correct v2.4.3 commit or update the version comment to reflect the actual version of the pinned SHA.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scorecard.yml around lines 24 - 30, The pinned SHA for the
Scorecard action in the "Run Scorecard" step (uses:
ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a) is annotated as
v2.4.3 but does not match that tag; either replace the SHA with the correct
commit for v2.4.3 (99c09fe975337306107572b4fdf4db224cf8e2f2) or change the
inline version comment to reflect the actual version represented by the current
SHA so the comment and the pinned commit are consistent.
| - name: Upload artifact | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | ||
| with: | ||
| name: scorecard-results | ||
| path: results.sarif | ||
| retention-days: 5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify actions/upload-artifact SHA and identify the specific version
# Check what the pinned SHA points to
echo "Checking pinned SHA ea165f8d65b6e75b540449e92b4886f43607fa02..."
gh api repos/actions/upload-artifact/commits/ea165f8d65b6e75b540449e92b4886f43607fa02 --jq '.sha' 2>/dev/null || echo "SHA not found"
# List recent v4 tags to find matching SHA
echo -e "\nRecent v4.x.x tags:"
gh api repos/actions/upload-artifact/git/matching-refs/tags/v4 --jq '.[].ref' | head -20Repository: ZaparooProject/go-zapscript
Length of output: 442
🌐 Web query:
actions/upload-artifact ea165f8d65b6e75b540449e92b4886f43607fa02 version
💡 Result:
Commit ea165f8d65b6e75b540449e92b4886f43607fa02 in actions/upload-artifact corresponds to release v4.6.2. [1]
Update the version comment to specify v4.6.2.
The pinned SHA corresponds to v4.6.2. Update the inline comment from # v4 to # v4.6.2 for better traceability and clarity.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scorecard.yml around lines 36 - 41, Update the inline
comment that annotates the pinned action SHA for clarity: change the comment on
the actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 line from
"# v4" to "# v4.6.2" so the upload-artifact action version is explicitly
documented; keep the rest of the step (name: Upload artifact, with: name:
scorecard-results, path: results.sarif, retention-days: 5) unchanged.
Summary
Summary by CodeRabbit