-
Notifications
You must be signed in to change notification settings - Fork 314
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci(github): Move Scorecard analysis to a separate workflow
The Scorecard action does not work properly with workflows that define global environment variables [1], so move the job to its own workflow. [1]: https://github.com/ossf/scorecard-action#workflow-restrictions Signed-off-by: Sebastian Schuberth <[email protected]>
- Loading branch information
1 parent
f545e5e
commit 598efb8
Showing
2 changed files
with
35 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
name: Scorecard Analysis | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
push: | ||
branches: | ||
- main | ||
|
||
permissions: read-all | ||
|
||
jobs: | ||
scorecard-analysis: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
# Needed for SARIF scanning upload. | ||
security-events: write | ||
# Needed for GitHub OIDC token if `publish_results` is true. | ||
id-token: write | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
Check warning Code scanning / Scorecard Pinned-Dependencies Medium
score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue |
||
with: | ||
persist-credentials: false | ||
- name: Run Analysis | ||
uses: ossf/[email protected] | ||
Check warning Code scanning / Scorecard Pinned-Dependencies Medium
score is 0: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue |
||
with: | ||
results_file: ossf-results.sarif | ||
results_format: sarif | ||
publish_results: true | ||
- name: Upload Code Scanning Results | ||
uses: github/codeql-action/upload-sarif@v3 | ||
Check warning Code scanning / Scorecard Pinned-Dependencies Medium
score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue |
||
with: | ||
sarif_file: ossf-results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -114,25 +114,3 @@ jobs: | |
run: | | ||
pip install --user reuse | ||
~/.local/bin/reuse lint | ||
scorecard-analysis: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
# Needed for SARIF scanning upload. | ||
security-events: write | ||
# Needed for GitHub OIDC token if `publish_results` is true. | ||
id-token: write | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
with: | ||
persist-credentials: false | ||
- name: Run Analysis | ||
uses: ossf/[email protected] | ||
with: | ||
results_file: ossf-results.sarif | ||
results_format: sarif | ||
publish_results: true | ||
- name: Upload Code Scanning Results | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: ossf-results.sarif |