github-workflows/.github/workflows/scorecard.yaml at main · Shopify/github-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Publish an OpenSSF Scorecard
#
# This should be called on:
# - branch_protection_rule:
# - schedule: at least weekly (suggested)
# - push: to the default branch (optional)

name: Scorecard analysis workflow
on:
  workflow_call:
    secrets:
      token:
        required: true
        description: GitHub token. This can be secrets.GITHUB_TOKEN, or a fine-grained PAT granting read-only access.

permissions: {}

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    if: github.repository_visibility == 'public'
    permissions:
      contents: read
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{secrets.token}}
          publish_results: true