-
Notifications
You must be signed in to change notification settings - Fork 314
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci(github): Move Scorecard analysis to a separate workflow
The Scorecard action does not work properly with workflows that define global environment variables [1], so move the job to its own workflow. [1]: https://github.com/ossf/scorecard-action#workflow-restrictions Signed-off-by: Sebastian Schuberth <[email protected]>
- Loading branch information
1 parent
f545e5e
commit 401e1e1
Showing
2 changed files
with
33 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| name: Scorecard Analysis | ||
|
Check failure Code scanning / Scorecard Token-Permissions High
score is 0: no topLevel permission defined
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow. Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. Click Remediation section below for further remediation help |
||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| push: | ||
| branches: | ||
| - main | ||
|
|
||
| jobs: | ||
| scorecard-analysis: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| # Needed for SARIF scanning upload. | ||
| security-events: write | ||
| # Needed for GitHub OIDC token if `publish_results` is true. | ||
| id-token: write | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
|
Check warning Code scanning / Scorecard Pinned-Dependencies Medium
score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue |
||
| with: | ||
| persist-credentials: false | ||
| - name: Run Analysis | ||
| uses: ossf/[email protected] | ||
|
Check warning Code scanning / Scorecard Pinned-Dependencies Medium
score is 0: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue |
||
| with: | ||
| results_file: ossf-results.sarif | ||
| results_format: sarif | ||
| publish_results: true | ||
| - name: Upload Code Scanning Results | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
|
Check warning Code scanning / Scorecard Pinned-Dependencies Medium
score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue |
||
| with: | ||
| sarif_file: ossf-results.sarif | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -114,25 +114,3 @@ jobs: | |
| run: | | ||
| pip install --user reuse | ||
| ~/.local/bin/reuse lint | ||
| scorecard-analysis: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| # Needed for SARIF scanning upload. | ||
| security-events: write | ||
| # Needed for GitHub OIDC token if `publish_results` is true. | ||
| id-token: write | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Run Analysis | ||
| uses: ossf/[email protected] | ||
| with: | ||
| results_file: ossf-results.sarif | ||
| results_format: sarif | ||
| publish_results: true | ||
| - name: Upload Code Scanning Results | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: ossf-results.sarif | ||