mirror of
https://github.com/ossf/scorecard.git
synced 2024-10-26 10:28:10 +03:00
🌱 polish scorecard workflow for use as example workflow (#3969)
This updates the version comments, adds some explanatory comments, and generally makes it better. The intent is to use this file as an example for the Scorecard Action repo so it remains up-to-date. Signed-off-by: Spencer Schrock <sschrock@google.com>
This commit is contained in:
parent
5b0ae81d49
commit
e780e089f5
18
.github/workflows/scorecard-analysis.yml
vendored
18
.github/workflows/scorecard-analysis.yml
vendored
@ -7,8 +7,6 @@ on:
|
|||||||
schedule:
|
schedule:
|
||||||
# Weekly on Saturdays.
|
# Weekly on Saturdays.
|
||||||
- cron: '30 1 * * 6'
|
- cron: '30 1 * * 6'
|
||||||
# pull_request:
|
|
||||||
# branches: [main]
|
|
||||||
|
|
||||||
permissions: read-all
|
permissions: read-all
|
||||||
|
|
||||||
@ -17,19 +15,22 @@ jobs:
|
|||||||
name: Scorecard analysis
|
name: Scorecard analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
|
# Needed for Code scanning upload
|
||||||
security-events: write
|
security-events: write
|
||||||
|
# Needed for GitHub OIDC token if publish_results is true
|
||||||
id-token: write
|
id-token: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: "Checkout code"
|
- name: "Checkout code"
|
||||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: "Run analysis"
|
- name: "Run analysis"
|
||||||
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
|
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
|
||||||
with:
|
with:
|
||||||
results_file: results.sarif
|
results_file: results.sarif
|
||||||
results_format: sarif
|
results_format: sarif
|
||||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
# Scorecard team runs a weekly scan of public GitHub repos,
|
# Scorecard team runs a weekly scan of public GitHub repos,
|
||||||
# see https://github.com/ossf/scorecard#public-data.
|
# see https://github.com/ossf/scorecard#public-data.
|
||||||
# Setting `publish_results: true` helps us scale by leveraging your workflow to
|
# Setting `publish_results: true` helps us scale by leveraging your workflow to
|
||||||
@ -37,16 +38,19 @@ jobs:
|
|||||||
# And it's free for you!
|
# And it's free for you!
|
||||||
publish_results: true
|
publish_results: true
|
||||||
|
|
||||||
|
# Upload the results as artifacts (optional). Commenting out will disable
|
||||||
|
# uploads of run results in SARIF format to the repository Actions tab.
|
||||||
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
|
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
|
||||||
# Optional.
|
|
||||||
- name: "Upload artifact"
|
- name: "Upload artifact"
|
||||||
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v3
|
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
|
||||||
with:
|
with:
|
||||||
name: SARIF file
|
name: SARIF file
|
||||||
path: results.sarif
|
path: results.sarif
|
||||||
retention-days: 5
|
retention-days: 5
|
||||||
|
|
||||||
- name: "Upload SARIF results"
|
# Upload the results to GitHub's code scanning dashboard (optional).
|
||||||
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
|
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
|
||||||
|
- name: "Upload to code-scanning"
|
||||||
|
uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
|
||||||
with:
|
with:
|
||||||
sarif_file: results.sarif
|
sarif_file: results.sarif
|
||||||
|
Loading…
Reference in New Issue
Block a user