README: add Build, CodeQL and OpenSSF Scorecard badges #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OpenSSF Scorecard: assesses the repository's supply-chain security posture | |
| # (branch protection, token permissions, pinned dependencies, etc.). | |
| # Results appear under the repository's "Security > Code scanning" tab. | |
| name: Scorecard | |
| on: | |
| branch_protection_rule: | |
| push: | |
| branches: [ "master" ] | |
| schedule: | |
| - cron: '23 4 * * 1' | |
| permissions: read-all | |
| jobs: | |
| analysis: | |
| name: Scorecard analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| # Needed to publish results and get a badge (OpenSSF API, OIDC token). | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| persist-credentials: false | |
| - name: Run analysis | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| # Keep the raw SARIF as an artifact for inspection. | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: scorecard-results | |
| path: results.sarif | |
| retention-days: 5 | |
| - name: Upload to code scanning | |
| uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 | |
| with: | |
| sarif_file: results.sarif | |
| category: scorecard |