🌱 polish scorecard workflow for use as example workflow (#3969)

This updates the version comments, adds some explanatory comments,
and generally makes it better. The intent is to use this file as an example
for the Scorecard Action repo so it remains up-to-date.

Signed-off-by: Spencer Schrock <sschrock@google.com>
This commit is contained in:
Spencer Schrock 2024-03-22 11:14:57 -07:00 committed by GitHub
parent 5b0ae81d49
commit e780e089f5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -7,8 +7,6 @@ on:
schedule: schedule:
# Weekly on Saturdays. # Weekly on Saturdays.
- cron: '30 1 * * 6' - cron: '30 1 * * 6'
# pull_request:
# branches: [main]
permissions: read-all permissions: read-all
@ -17,19 +15,22 @@ jobs:
name: Scorecard analysis name: Scorecard analysis
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
# Needed for Code scanning upload
security-events: write security-events: write
# Needed for GitHub OIDC token if publish_results is true
id-token: write id-token: write
steps: steps:
- name: "Checkout code" - name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: "Run analysis" - name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with: with:
results_file: results.sarif results_file: results.sarif
results_format: sarif results_format: sarif
repo_token: ${{ secrets.GITHUB_TOKEN }}
# Scorecard team runs a weekly scan of public GitHub repos, # Scorecard team runs a weekly scan of public GitHub repos,
# see https://github.com/ossf/scorecard#public-data. # see https://github.com/ossf/scorecard#public-data.
# Setting `publish_results: true` helps us scale by leveraging your workflow to # Setting `publish_results: true` helps us scale by leveraging your workflow to
@ -37,16 +38,19 @@ jobs:
# And it's free for you! # And it's free for you!
publish_results: true publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable
# uploads of run results in SARIF format to the repository Actions tab.
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
# Optional.
- name: "Upload artifact" - name: "Upload artifact"
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v3 uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with: with:
name: SARIF file name: SARIF file
path: results.sarif path: results.sarif
retention-days: 5 retention-days: 5
- name: "Upload SARIF results" # Upload the results to GitHub's code scanning dashboard (optional).
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v1 # Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
with: with:
sarif_file: results.sarif sarif_file: results.sarif