name: Scorecard supply-chain security on: push: # Only the default branch is supported. branches: - main jobs: analysis: name: Scorecard analysis runs-on: ubuntu-22.04 permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (for publish_results below). id-token: write steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - name: Run analysis uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2.2.1 with: sarif_file: results.sarif