-
-
Notifications
You must be signed in to change notification settings - Fork 1
ci: add OpenSSF Scorecard workflow #9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| name: OpenSSF Scorecard | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] | ||
| schedule: | ||
| - cron: "41 3 * * 1" # Monday 3:41 UTC (11:41 AWST) | ||
|
|
||
| jobs: | ||
| analysis: | ||
| name: Scorecard analysis | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Run Scorecard | ||
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | ||
| with: | ||
| results_file: results.sarif | ||
| results_format: sarif | ||
| publish_results: true | ||
|
|
||
| - name: Upload SARIF to code scanning | ||
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 | ||
| with: | ||
| sarif_file: results.sarif | ||
|
|
||
| - name: Upload artifact | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | ||
| with: | ||
| name: scorecard-results | ||
| path: results.sarif | ||
| retention-days: 5 | ||
|
Comment on lines
+36
to
+41
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Description: Verify actions/upload-artifact SHA and identify the specific version
# Check what the pinned SHA points to
echo "Checking pinned SHA ea165f8d65b6e75b540449e92b4886f43607fa02..."
gh api repos/actions/upload-artifact/commits/ea165f8d65b6e75b540449e92b4886f43607fa02 --jq '.sha' 2>/dev/null || echo "SHA not found"
# List recent v4 tags to find matching SHA
echo -e "\nRecent v4.x.x tags:"
gh api repos/actions/upload-artifact/git/matching-refs/tags/v4 --jq '.[].ref' | head -20Repository: ZaparooProject/go-zapscript Length of output: 442 🌐 Web query:
💡 Result: Commit Update the version comment to specify v4.6.2. The pinned SHA corresponds to v4.6.2. Update the inline comment from 🤖 Prompt for AI Agents |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: ZaparooProject/go-zapscript
Length of output: 438
🌐 Web query:
ossf/scorecard-action v2.4.3 release SHA commit💡 Result:
ossf/scorecard-actionv2.4.3 is tagged at commit4eaacf0543bb3f2c246792bd56e8cdeffafb205a. [1], [2]Sources: [1] (github.com) [2] (git.eigen.co.id)
Citations:
🏁 Script executed:
Repository: ZaparooProject/go-zapscript
Length of output: 219
Fix the version comment: the pinned SHA does not match v2.4.3.
The workflow pins SHA
4eaacf0543bb3f2c246792bd56e8cdeffafb205abut labels it as v2.4.3. GitHub API confirms that v2.4.3 is actually tagged at SHA99c09fe975337306107572b4fdf4db224cf8e2f2. Either update the pinned SHA to the correct v2.4.3 commit or update the version comment to reflect the actual version of the pinned SHA.🤖 Prompt for AI Agents