|
| 1 | +# Licensed to the Apache Software Foundation (ASF) under one or more |
| 2 | +# contributor license agreements. See the NOTICE file distributed with |
| 3 | +# this work for additional information regarding copyright ownership. |
| 4 | +# The ASF licenses this file to You under the Apache license, Version 2.0 |
| 5 | +# (the "License"); you may not use this file except in compliance with |
| 6 | +# the License. You may obtain a copy of the License at |
| 7 | +# |
| 8 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +# |
| 10 | +# Unless required by applicable law or agreed to in writing, software |
| 11 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +# See the license for the specific language governing permissions and |
| 14 | +# limitations under the license. |
| 15 | + |
| 16 | +name: "Scorecards supply-chain security" |
| 17 | + |
| 18 | +on: |
| 19 | + branch_protection_rule: |
| 20 | + schedule: |
| 21 | + - cron: "30 1 * * 6" # Weekly on Saturdays |
| 22 | + push: |
| 23 | + branches: [ "master" ] |
| 24 | + |
| 25 | +permissions: read-all |
| 26 | + |
| 27 | +jobs: |
| 28 | + |
| 29 | + analysis: |
| 30 | + |
| 31 | + name: "Scorecards analysis" |
| 32 | + runs-on: ubuntu-latest |
| 33 | + permissions: |
| 34 | + security-events: write # Needed to upload the results to the code-scanning dashboard. |
| 35 | + actions: read |
| 36 | + contents: read |
| 37 | + |
| 38 | + steps: |
| 39 | + |
| 40 | + - name: "Checkout code" |
| 41 | + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # 3.0.2 |
| 42 | + with: |
| 43 | + persist-credentials: false |
| 44 | + |
| 45 | + - name: "Run analysis" |
| 46 | + uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 # 1.1.2 |
| 47 | + with: |
| 48 | + results_file: results.sarif |
| 49 | + results_format: sarif |
| 50 | + # A read-only PAT token, which is sufficient for the action to function. |
| 51 | + # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188 |
| 52 | + repo_token: ${{ secrets.GITHUB_TOKEN }} |
| 53 | + # Publish the results for public repositories to enable scorecard badges. |
| 54 | + # For more details: https://github.com/ossf/scorecard-action#publishing-results |
| 55 | + publish_results: true |
| 56 | + |
| 57 | + - name: "Upload artifact" |
| 58 | + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # 3.1.0 |
| 59 | + with: |
| 60 | + name: SARIF file |
| 61 | + path: results.sarif |
| 62 | + retention-days: 5 |
| 63 | + |
| 64 | + - name: "Upload to code-scanning" |
| 65 | + uses: github/codeql-action/upload-sarif@b398f525a5587552e573b247ac661067fafa920b # 2.1.22 |
| 66 | + with: |
| 67 | + sarif_file: results.sarif |
0 commit comments