error-prone-support/.github/workflows/openssf-scorecard.yml

# Analyzes the code base and GitHub project configuration for adherence to
# security best practices for open source software. Identified issues are
# registered with GitHub's code scanning dashboard. When a pull request is
# analyzed, any offending lines are annotated. See
# https://securityscorecards.dev for details.
name: OpenSSF Scorecard update
on:
  pull_request:
  push:
    branches: [ master ]
  schedule:
    - cron: '0 4 * * 1'
permissions:
  contents: read
jobs:
  analyze:
    permissions:
      contents: read
      security-events: write
      id-token: write
    runs-on: ubuntu-24.04
    steps:
      - name: Install Harden-Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.deps.dev:443
            api.github.com:443
            api.osv.dev:443
            api.scorecard.dev:443
            api.securityscorecards.dev:443
            github.com:443
            index.docker.io:443
            oss-fuzz-build-logs.storage.googleapis.com:443
            repo.maven.apache.org:443
            *.sigstore.dev:443
            www.bestpractices.dev:443
      - name: Check out code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: Run OpenSSF Scorecard analysis
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: ${{ github.ref == 'refs/heads/master' }}
      - name: Update GitHub's code scanning dashboard
        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
        with:
          sarif_file: results.sarif