| 1 | name: Scorecard supply-chain security |
| 2 | on: |
| 3 | branch_protection_rule: |
| 4 | push: |
| 5 | branches: |
| 6 | - develop |
| 7 | schedule: |
| 8 | - cron: 29 15 * * 0 |
| 9 | permissions: read-all |
| 10 | jobs: |
| 11 | analysis: |
| 12 | name: Scorecard analysis |
| 13 | permissions: |
| 14 | id-token: write |
| 15 | security-events: write |
| 16 | runs-on: ubuntu-latest |
| 17 | steps: |
| 18 | - name: Checkout code |
| 19 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
| 20 | with: |
| 21 | persist-credentials: false |
| 22 | - name: Run analysis |
| 23 | uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 |
| 24 | with: |
| 25 | results_file: results.sarif |
| 26 | results_format: sarif |
| 27 | publish_results: true |
| 28 | - name: Upload artifact |
| 29 | uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 |
| 30 | with: |
| 31 | name: SARIF file |
| 32 | path: results.sarif |
| 33 | retention-days: 5 |
| 34 | - name: Upload to code-scanning |
| 35 | uses: github/codeql-action/upload-sarif@5378192d256ef1302a6980fffe5ca04426d43091 # v3.28.21 |
| 36 | with: |
| 37 | sarif_file: results.sarif |
| 38 | |