Skip to content
Snippets Groups Projects
Select Git revision
  • dev
  • gh-pages
  • v1.5.7-kernel-cherrypicks
  • dependabot/github_actions/github/codeql-action-3.28.11
  • xxh083
  • dependabot/github_actions/ossf/scorecard-action-2.4.1
  • dependabot/github_actions/github/codeql-action-3.28.10
  • auto_win_binaries
  • man157
  • win_artifacts
  • bench_157
  • faster_clang-msan-testzstd
  • release default
  • ga_harden
  • changelog157
  • rip-ubuntu20
  • stronger_patchfrom
  • lessChainBreak
  • lmax
  • autoultra
  • v1.5.7-kernel
  • v1.5.7
  • v1.5.6
  • v1.5.5-kernel
  • v1.5.5
  • v1.5.4
  • v1.5.2-kernel
  • v1.4.10
  • v1.5.2
  • v1.5.1
  • v1.5.0
  • v1.4.9
  • v1.4.8
  • v1.4.7
  • v1.4.5
  • v1.4.4
  • v1.4.3
  • v1.4.2
  • v1.4.1
  • v1.4.0
40 results
Blame History Permalink
scorecards.yml 2.40 KiB 
name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '22 21 * * 2'
  push:
    # TODO: Add release branch when supported?
    branches: [ "dev" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    if: github.repository == 'facebook/zstd'
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Used to receive a badge.
      id-token: write
      # Needs for private repositories.
      contents: read
      actions: read

    steps:
      - name: "Checkout code"
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # - you are installing Scorecards on a *private* repository
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}

          # Publish the results for public repositories to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories, `publish_results` will automatically be set to `false`, regardless
          # of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # tag=v3.28.10
        with:
          sarif_file: results.sarif