Skip to content

Commit

Permalink
ci(github): Move Scorecard analysis to a separate workflow
Browse files Browse the repository at this point in the history
The Scorecard action does not work properly with workflows that define
global environment variables [1], so move the job to its own workflow.

[1]: https://github.com/ossf/scorecard-action#workflow-restrictions

Signed-off-by: Sebastian Schuberth <[email protected]>
  • Loading branch information
sschuberth committed Jul 11, 2024
1 parent f545e5e commit 598efb8
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 22 deletions.
35 changes: 35 additions & 0 deletions .github/workflows/scorecard-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Scorecard Analysis

on:
pull_request:
branches:
- main
push:
branches:
- main

permissions: read-all

jobs:
scorecard-analysis:
runs-on: ubuntu-latest
permissions:
# Needed for SARIF scanning upload.
security-events: write
# Needed for GitHub OIDC token if `publish_results` is true.
id-token: write
steps:
- name: Checkout Repository
uses: actions/checkout@v4

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
with:
persist-credentials: false
- name: Run Analysis
uses: ossf/[email protected]

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue
with:
results_file: ossf-results.sarif
results_format: sarif
publish_results: true
- name: Upload Code Scanning Results
uses: github/codeql-action/upload-sarif@v3

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
with:
sarif_file: ossf-results.sarif
22 changes: 0 additions & 22 deletions .github/workflows/static-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,25 +114,3 @@ jobs:
run: |
pip install --user reuse
~/.local/bin/reuse lint
scorecard-analysis:
runs-on: ubuntu-latest
permissions:
# Needed for SARIF scanning upload.
security-events: write
# Needed for GitHub OIDC token if `publish_results` is true.
id-token: write
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run Analysis
uses: ossf/[email protected]
with:
results_file: ossf-results.sarif
results_format: sarif
publish_results: true
- name: Upload Code Scanning Results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ossf-results.sarif

0 comments on commit 598efb8

Please sign in to comment.