.github/.github/workflows/job-ossf-scorecard.yml at 34ebe28585ae1a83393c797b5cd47e1ebdd9283a · platform-mesh/.github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
name: OpenSSF Scorecard analysis workflow
on:
  workflow_call:

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed for Code scanning upload
      security-events: write
      # Needed for GitHub OIDC token if publish_results is true
      id-token: write
      # Needed to read repo contents during analysis
      contents: read
      # Needed by Scorecard to read workflow run metadata
      actions: read

    steps:
      - name: "Checkout code"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: "Run OpenSSF Scorecard analysis"
        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: ossf-scorecard-results.sarif
          results_format: sarif
          publish_results: true
          # Results will be published to: https://scorecard.dev/viewer/?uri=github.com/platform-mesh/REPO_NAME

      # Upload the results to GitHub's code scanning dashboard .
      - name: "Upload OpenSSF results to code-scanning dashboard"
        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          sarif_file: ossf-scorecard-results.sarif