Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: OpenSSF Scorecard

on:
push:
branches: [main]
schedule:
- cron: "41 3 * * 1" # Monday 3:41 UTC (11:41 AWST)

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true

Comment on lines +24 to +30

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify ossf/scorecard-action SHA matches v2.4.3 tag

# Fetch the v2.4.3 tag from GitHub API
echo "Checking ossf/scorecard-action v2.4.3 tag..."
gh api repos/ossf/scorecard-action/git/ref/tags/v2.4.3 --jq '.object.sha' 2>/dev/null || echo "Tag v2.4.3 not found"

# Check what the pinned SHA points to
echo "Checking pinned SHA 4eaacf0543bb3f2c246792bd56e8cdeffafb205a..."
gh api repos/ossf/scorecard-action/commits/4eaacf0543bb3f2c246792bd56e8cdeffafb205a --jq '.sha' 2>/dev/null || echo "SHA not found"

Repository: ZaparooProject/go-zapscript

Length of output: 438


🌐 Web query:

ossf/scorecard-action v2.4.3 release SHA commit

💡 Result:

ossf/scorecard-action v2.4.3 is tagged at commit 4eaacf0543bb3f2c246792bd56e8cdeffafb205a. [1], [2]

Sources: [1] (github.com) [2] (git.eigen.co.id)

Citations:


🏁 Script executed:

#!/bin/bash
# Alternative approach: curl to public GitHub API
echo "Attempting to fetch v2.4.3 tag info via public API..."
curl -s "https://api.github.com/repos/ossf/scorecard-action/git/refs/tags/v2.4.3" | jq '.object.sha' 2>/dev/null || echo "Could not fetch via curl"

# Also try to get the tag object itself
echo "Checking if tag exists on GitHub..."
curl -s "https://api.github.com/repos/ossf/scorecard-action/releases/tags/v2.4.3" | jq '.target_commitish, .tag_name' 2>/dev/null || echo "Could not fetch release info"

Repository: ZaparooProject/go-zapscript

Length of output: 219


Fix the version comment: the pinned SHA does not match v2.4.3.

The workflow pins SHA 4eaacf0543bb3f2c246792bd56e8cdeffafb205a but labels it as v2.4.3. GitHub API confirms that v2.4.3 is actually tagged at SHA 99c09fe975337306107572b4fdf4db224cf8e2f2. Either update the pinned SHA to the correct v2.4.3 commit or update the version comment to reflect the actual version of the pinned SHA.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 24 - 30, The pinned SHA for the
Scorecard action in the "Run Scorecard" step (uses:
ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a) is annotated as
v2.4.3 but does not match that tag; either replace the SHA with the correct
commit for v2.4.3 (99c09fe975337306107572b4fdf4db224cf8e2f2) or change the
inline version comment to reflect the actual version represented by the current
SHA so the comment and the pinned commit are consistent.

- name: Upload SARIF to code scanning
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
with:
sarif_file: results.sarif

- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: scorecard-results
path: results.sarif
retention-days: 5
Comment on lines +36 to +41

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify actions/upload-artifact SHA and identify the specific version

# Check what the pinned SHA points to
echo "Checking pinned SHA ea165f8d65b6e75b540449e92b4886f43607fa02..."
gh api repos/actions/upload-artifact/commits/ea165f8d65b6e75b540449e92b4886f43607fa02 --jq '.sha' 2>/dev/null || echo "SHA not found"

# List recent v4 tags to find matching SHA
echo -e "\nRecent v4.x.x tags:"
gh api repos/actions/upload-artifact/git/matching-refs/tags/v4 --jq '.[].ref' | head -20

Repository: ZaparooProject/go-zapscript

Length of output: 442


🌐 Web query:

actions/upload-artifact ea165f8d65b6e75b540449e92b4886f43607fa02 version

💡 Result:

Commit ea165f8d65b6e75b540449e92b4886f43607fa02 in actions/upload-artifact corresponds to release v4.6.2. [1]


Update the version comment to specify v4.6.2.

The pinned SHA corresponds to v4.6.2. Update the inline comment from # v4 to # v4.6.2 for better traceability and clarity.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 36 - 41, Update the inline
comment that annotates the pinned action SHA for clarity: change the comment on
the actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 line from
"# v4" to "# v4.6.2" so the upload-artifact action version is explicitly
documented; keep the rest of the step (name: Upload artifact, with: name:
scorecard-results, path: results.sarif, retention-days: 5) unchanged.

Loading