From 598efb8151dbc7344f3c5628ce1bd06a5c8924e1 Mon Sep 17 00:00:00 2001
From: Sebastian Schuberth <sebastian@doubleopen.org>
Date: Thu, 11 Jul 2024 16:20:59 +0200
Subject: [PATCH] ci(github): Move Scorecard analysis to a separate workflow

The Scorecard action does not work properly with workflows that define
global environment variables [1], so move the job to its own workflow.

[1]: https://github.com/ossf/scorecard-action#workflow-restrictions

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
---
 .github/workflows/scorecard-analysis.yml | 35 ++++++++++++++++++++++++
 .github/workflows/static-analysis.yml    | 22 ---------------
 2 files changed, 35 insertions(+), 22 deletions(-)
 create mode 100644 .github/workflows/scorecard-analysis.yml

diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
new file mode 100644
index 0000000000000..8c8ae81a329ac
--- /dev/null
+++ b/.github/workflows/scorecard-analysis.yml
@@ -0,0 +1,35 @@
+name: Scorecard Analysis
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for SARIF scanning upload.
+      security-events: write
+      # Needed for GitHub OIDC token if `publish_results` is true.
+      id-token: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Run Analysis
+        uses: ossf/scorecard-action@v2.3.3
+        with:
+          results_file: ossf-results.sarif
+          results_format: sarif
+          publish_results: true
+      - name: Upload Code Scanning Results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ossf-results.sarif
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index 253a836d30493..c76a98d65ebae 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -114,25 +114,3 @@ jobs:
       run: |
         pip install --user reuse
         ~/.local/bin/reuse lint
-  scorecard-analysis:
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed for SARIF scanning upload.
-      security-events: write
-      # Needed for GitHub OIDC token if `publish_results` is true.
-      id-token: write
-    steps:
-    - name: Checkout Repository
-      uses: actions/checkout@v4
-      with:
-        persist-credentials: false
-    - name: Run Analysis
-      uses: ossf/scorecard-action@v2.3.3
-      with:
-        results_file: ossf-results.sarif
-        results_format: sarif
-        publish_results: true
-    - name: Upload Code Scanning Results
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: ossf-results.sarif