From 2d99a6b7c5c9554c0cfd874bfe47bf2cb84a9d77 Mon Sep 17 00:00:00 2001 From: Callan Barrett Date: Thu, 9 Apr 2026 19:03:35 +0800 Subject: [PATCH 1/2] ci: add OpenSSF Scorecard workflow Add weekly Scorecard analysis that grades the repository on security practices. Results published to scorecard.dev and uploaded to the Security tab as code scanning alerts. --- .github/workflows/scorecard.yml | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..5aa6a1d --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,40 @@ +name: OpenSSF Scorecard + +on: + push: + branches: [main] + schedule: + - cron: "41 3 * * 1" # Monday 3:41 UTC (11:41 AWST) + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + + - name: Run Scorecard + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload SARIF to code scanning + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + with: + sarif_file: results.sarif + + - name: Upload artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: scorecard-results + path: results.sarif + retention-days: 5 From 0083c17edc046fab7ac80f01e3430754fc428f82 Mon Sep 17 00:00:00 2001 From: Callan Barrett Date: Thu, 9 Apr 2026 19:34:21 +0800 Subject: [PATCH 2/2] ci: add contents: read permission for checkout --- .github/workflows/scorecard.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5aa6a1d..12f60bc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -11,6 +11,7 @@ jobs: name: Scorecard analysis runs-on: ubuntu-latest permissions: + contents: read security-events: write id-token: write