@@ -13,26 +13,50 @@ concurrency:
1313 group : ${{ github.workflow }}-${{ github.ref }}
1414 cancel-in-progress : true
1515
16- permissions :
17- contents : read
16+ permissions : read-all
1817
1918jobs :
20- scorecards :
19+ scorecard :
2120 name : OSSF Scorecards
2221 runs-on : ubuntu-latest
2322 timeout-minutes : 15
2423 permissions :
24+ actions : read
25+ checks : read
2526 contents : read
26- id-token : write
27+ issues : read
28+ pull-requests : read
2729 steps :
2830 - uses : actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
2931 with :
3032 persist-credentials : false
33+ - name : Install Scorecard CLI
34+ env :
35+ SCORECARD_VERSION : " 5.5.0"
36+ SCORECARD_SHA256 : " 83b90a05c1540ef1390db1cd5711e5fd04be9c1d8537fb84d39d02092d6a8dff"
37+ run : |
38+ set -euo pipefail
39+ archive="scorecard_${SCORECARD_VERSION}_linux_amd64.tar.gz"
40+ curl -fsSLO "https://github.com/ossf/scorecard/releases/download/v${SCORECARD_VERSION}/${archive}"
41+ echo "${SCORECARD_SHA256} ${archive}" | sha256sum -c -
42+ mkdir -p "$RUNNER_TEMP/scorecard"
43+ tar -xzf "${archive}" -C "$RUNNER_TEMP/scorecard" scorecard
44+ chmod 0755 "$RUNNER_TEMP/scorecard/scorecard"
3145name : Analyze
32- continue-on-error : true
33- uses : ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
46+ env :
47+ GITHUB_AUTH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
48+ ENABLE_SARIF : " true"
49+ run : |
50+ set -euo pipefail
51+ "$RUNNER_TEMP/scorecard/scorecard" \
52+ --repo="github.com/${{ github.repository }}" \
53+ --commit="${GITHUB_SHA}" \
54+ --format=sarif \
55+ --output="scorecard-results.sarif" \
56+ --show-details
57+ name : Upload Scorecard SARIF artifact
58+ uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
3459 with :
35- results_file : scorecard-results.sarif
36- results_format : sarif
37- repo_token : ${{ secrets.GITHUB_TOKEN }}
38- publish_results : true
60+ name : openssf-scorecard-sarif
61+ path : scorecard-results.sarif
62+ if-no-files-found : error
0 commit comments