mirror of
https://github.com/jlengrand/error-prone-support.git
synced 2026-03-10 08:11:25 +00:00
54 lines
1.8 KiB
YAML
54 lines
1.8 KiB
YAML
# Analyzes the code base and GitHub project configuration for adherence to
|
|
# security best practices for open source software. Identified issues are
|
|
# registered with GitHub's code scanning dashboard. When a pull request is
|
|
# analyzed, any offending lines are annotated. See
|
|
# https://securityscorecards.dev for details.
|
|
name: OpenSSF Scorecard update
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches: [ master ]
|
|
schedule:
|
|
- cron: '0 4 * * 1'
|
|
permissions:
|
|
contents: read
|
|
jobs:
|
|
analyze:
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
id-token: write
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Install Harden-Runner
|
|
uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
|
|
with:
|
|
disable-sudo: true
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
api.deps.dev:443
|
|
api.github.com:443
|
|
api.osv.dev:443
|
|
api.scorecard.dev:443
|
|
api.securityscorecards.dev:443
|
|
github.com:443
|
|
index.docker.io:443
|
|
oss-fuzz-build-logs.storage.googleapis.com:443
|
|
repo.maven.apache.org:443
|
|
*.sigstore.dev:443
|
|
www.bestpractices.dev:443
|
|
- name: Check out code
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run OpenSSF Scorecard analysis
|
|
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
|
|
with:
|
|
results_file: results.sarif
|
|
results_format: sarif
|
|
publish_results: ${{ github.ref == 'refs/heads/master' }}
|
|
- name: Update GitHub's code scanning dashboard
|
|
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
|
|
with:
|
|
sarif_file: results.sarif
|