error-prone-support/.github/workflows/openssf-scorecard.yml

# Analyzes the code base and GitHub project configuration for adherence to
# security best practices for open source software. Identified issues are
# registered with GitHub's code scanning dashboard. When a pull request is
# analyzed, any offending lines are annotated. See
# https://securityscorecards.dev for details.
name: OpenSSF Scorecard update
on:
  pull_request:
  push:
    branches: [ master ]
  schedule:
    - cron: '0 4 * * 1'
permissions:
  contents: read
jobs:
  analyze:
    permissions:
      contents: read
      security-events: write
      id-token: write
    runs-on: ubuntu-24.04
    steps:
      - name: Install Harden-Runner
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.deps.dev:443
            api.github.com:443
            api.osv.dev:443
            api.scorecard.dev:443
            api.securityscorecards.dev:443
            github.com:443
            index.docker.io:443
            oss-fuzz-build-logs.storage.googleapis.com:443
            repo.maven.apache.org:443
            *.sigstore.dev:443
            www.bestpractices.dev:443
      - name: Check out code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: Run OpenSSF Scorecard analysis
        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: ${{ github.ref == 'refs/heads/master' }}
      - name: Update GitHub's code scanning dashboard
        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
        with:
          sarif_file: results.sarif