diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml new file mode 100644 index 0000000000000..8c8ae81a329ac --- /dev/null +++ b/.github/workflows/scorecard-analysis.yml @@ -0,0 +1,35 @@ +name: Scorecard Analysis + +on: + pull_request: + branches: + - main + push: + branches: + - main + +permissions: read-all + +jobs: + scorecard-analysis: + runs-on: ubuntu-latest + permissions: + # Needed for SARIF scanning upload. + security-events: write + # Needed for GitHub OIDC token if `publish_results` is true. + id-token: write + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Run Analysis + uses: ossf/scorecard-action@v2.3.3 + with: + results_file: ossf-results.sarif + results_format: sarif + publish_results: true + - name: Upload Code Scanning Results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ossf-results.sarif diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 253a836d30493..c76a98d65ebae 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -114,25 +114,3 @@ jobs: run: | pip install --user reuse ~/.local/bin/reuse lint - scorecard-analysis: - runs-on: ubuntu-latest - permissions: - # Needed for SARIF scanning upload. - security-events: write - # Needed for GitHub OIDC token if `publish_results` is true. - id-token: write - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - with: - persist-credentials: false - - name: Run Analysis - uses: ossf/scorecard-action@v2.3.3 - with: - results_file: ossf-results.sarif - results_format: sarif - publish_results: true - - name: Upload Code Scanning Results - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ossf-results.sarif