OpenSSF Scorecard #283
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OpenSSF Scorecard - Automated Security Assessment | |
| # This workflow runs security checks against OpenSSF best practices | |
| # Results are uploaded to GitHub Security tab and published to OpenSSF dashboard | |
| name: OpenSSF Scorecard | |
| on: | |
| # Run on branch protection rule changes | |
| branch_protection_rule: | |
| # Run weekly on Sundays at midnight UTC | |
| schedule: | |
| - cron: '0 0 * * 0' | |
| # Run on every push to main branch | |
| push: | |
| branches: [main] | |
| # Allow manual triggering | |
| workflow_dispatch: | |
| # Restrict default permissions to read-only | |
| permissions: read-all | |
| jobs: | |
| analysis: | |
| name: Scorecard analysis | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| permissions: | |
| # Needed to upload SARIF results to GitHub Security tab | |
| security-events: write | |
| # Needed to publish results to OpenSSF dashboard | |
| id-token: write | |
| # Needed to read repository contents | |
| contents: read | |
| # Needed to read GitHub Actions | |
| actions: read | |
| steps: | |
| - name: "Checkout code" | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: "Run OpenSSF Scorecard analysis" | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| # Publish results to OpenSSF public dashboard | |
| publish_results: true | |
| - name: "Upload SARIF results to GitHub Security" | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3 | |
| with: | |
| sarif_file: results.sarif | |
| - name: "Upload results as artifact" | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: scorecard-results | |
| path: results.sarif | |
| retention-days: 30 |