From 82396bd01c320f304685e0c4fe3a69852f9f162c Mon Sep 17 00:00:00 2001 From: Sebastian Schuberth Date: Thu, 11 Jul 2024 16:20:59 +0200 Subject: [PATCH] ci(github): Move Scorecard analysis to a separate workflow The Scorecard action does not work properly with workflows that define global environment variables [1], so move the job to its own workflow. [1]: https://github.com/ossf/scorecard-action#workflow-restrictions Signed-off-by: Sebastian Schuberth --- .github/workflows/scorecard-analysis.yml | 35 ++++++++++++++++++++++++ .github/workflows/static-analysis.yml | 22 --------------- 2 files changed, 35 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/scorecard-analysis.yml diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml new file mode 100644 index 0000000000000..8c8ae81a329ac --- /dev/null +++ b/.github/workflows/scorecard-analysis.yml @@ -0,0 +1,35 @@ +name: Scorecard Analysis + +on: + pull_request: + branches: + - main + push: + branches: + - main + +permissions: read-all + +jobs: + scorecard-analysis: + runs-on: ubuntu-latest + permissions: + # Needed for SARIF scanning upload. + security-events: write + # Needed for GitHub OIDC token if `publish_results` is true. + id-token: write + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Run Analysis + uses: ossf/scorecard-action@v2.3.3 + with: + results_file: ossf-results.sarif + results_format: sarif + publish_results: true + - name: Upload Code Scanning Results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ossf-results.sarif diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 253a836d30493..c76a98d65ebae 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -114,25 +114,3 @@ jobs: run: | pip install --user reuse ~/.local/bin/reuse lint - scorecard-analysis: - runs-on: ubuntu-latest - permissions: - # Needed for SARIF scanning upload. - security-events: write - # Needed for GitHub OIDC token if `publish_results` is true. - id-token: write - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - with: - persist-credentials: false - - name: Run Analysis - uses: ossf/scorecard-action@v2.3.3 - with: - results_file: ossf-results.sarif - results_format: sarif - publish_results: true - - name: Upload Code Scanning Results - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ossf-results.sarif