-
Notifications
You must be signed in to change notification settings - Fork 2
47 lines (38 loc) · 1.13 KB
/
Copy pathopenssf.yml
File metadata and controls
47 lines (38 loc) · 1.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# SPDX-FileCopyrightText: 2026 Frans van Dorsselaer
#
# SPDX-License-Identifier: MIT
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Scorecard
on:
push:
branches: [main]
schedule:
- cron: '41 5 * * 5'
permissions: {}
jobs:
analyze:
name: Analyze (Scorecard)
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
contents: read
issues: read
pull-requests: read
checks: read
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Run Scorecard analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: scorecard-results.sarif
results_format: sarif
publish_results: true
- name: Upload Scorecard scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
sarif_file: scorecard-results.sarif