affinescript/.github/workflows/scorecard.yml at main · hyperpolymath/affinescript · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# SPDX-License-Identifier: MPL-2.0
#
# Standalone OpenSSF Scorecard. Previously a thin caller of
# `hyperpolymath/standards/.github/workflows/scorecard-reusable.yml`; that
# cross-repo dependency had a persistent startup_failure history (see the
# prior note in this file's git history). This self-contained version calls
# `ossf/scorecard-action` directly — mirroring the already-direct sibling
# `scorecard-enforcer.yml` — so there is no external-repo workflow dependency.
# `ossf/scorecard-action` / `github/codeql-action` stay SHA-pinned (third-party
# actions); they match the pins used in scorecard-enforcer.yml.
name: Scorecards supply-chain security
on:
  branch_protection_rule:
  schedule:
    - cron: '23 4 * * 1'
  push:
    branches: [main]
permissions:
  contents: read
jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      security-events: write
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Run analysis
        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true
      - name: Upload SARIF to code-scanning
        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3
        with:
          sarif_file: results.sarif