.github/workflows/scorecard.yml at main · keii.dev/nodejs.org

keii.dev / nodejs.org
The Node.js® Website
nodejs.org / .github / workflows / scorecard.yml
at main 2.2 kB view raw
 1# This workflow uses actions that are not certified by GitHub. They are provided
 2# by a third party and are governed by separate terms of service, privacy
 3# policy and support documentation.
 4
 5name: OpenSSF Scorecard Review
 6on:
 7  # For Branch-Protection check. Only the default branch is supported. See
 8  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
 9  branch_protection_rule:
10  # To guarantee that the Maintained check is occasionally updated. See
11  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
12  schedule:
13    - cron: '20 7 * * 2'
14  push:
15    branches:
16      - main
17
18# Declare default permissions as read only.
19permissions: read-all
20
21jobs:
22  analysis:
23    name: Scorecard analysis
24    runs-on: ubuntu-latest
25    permissions:
26      # Needed to upload the results to code-scanning dashboard.
27      security-events: write
28      # Needed to publish results and get a badge (see publish_results below).
29      id-token: write
30      contents: read
31      actions: read
32
33    steps:
34      - name: Harden Runner
35        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
36        with:
37          egress-policy: audit
38
39      - name: Git Checkout
40        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
41        with:
42          persist-credentials: false
43
44      - name: Run Scorecard Analysis
45        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
46        with:
47          results_file: results.sarif
48          results_format: sarif
49          publish_results: true
50
51      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
52      # format to the repository Actions tab.
53      - name: Upload Artifacts
54        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
55        with:
56          name: SARIF file
57          path: results.sarif
58          retention-days: 5
59
60      # Upload the results to GitHub's code scanning dashboard.
61      - name: Upload Scan Results
62        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
63        with:
64          sarif_file: results.sarif