|
1 | | -# Summary: workflow for OSSF Scorecard (https://github.com/ossf/scorecard). |
| 1 | +# Copyright 2026 Google LLC |
2 | 2 | # |
3 | | -# Scorecard is an automated tool that assesses a number of important heuristics |
4 | | -# associated with software security and assigns each check a score of 0-10. The |
5 | | -# use of Scorecard is suggested in Google's internal GitHub guidance |
6 | | -# (go/github-docs). |
| 3 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +# you may not use this file except in compliance with the License. |
| 5 | +# You may obtain a copy of the License at |
7 | 6 | # |
8 | | -# Scorecard creates a report page at the following URL (for a repo ORG/REPO): |
9 | | -# https://scorecard.dev/viewer/?uri=github.com/ORG/REPO |
10 | | -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 7 | +# https://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +# |
| 9 | +# Unless required by applicable law or agreed to in writing, software |
| 10 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +# See the License for the specific language governing permissions and |
| 13 | +# limitations under the License. |
| 14 | + |
| 15 | +name: Scorecard analysis |
| 16 | +run-name: Run Scorecard scanner for security best practices |
11 | 17 |
|
12 | | -name: Scorecard code scan |
13 | | -run-name: Run Scorecard code scan |
| 18 | +# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool |
| 19 | +# that evaluates a project's security practices. Its use is suggested by |
| 20 | +# Google's GitHub team. Scorecard's findings are reported in a repo's scanning |
| 21 | +# results page, https://github.com/quantumlib/REPO/security/code-scanning/. |
14 | 22 |
|
15 | 23 | on: |
16 | 24 | schedule: |
17 | 25 | - cron: '19 20 * * 6' |
18 | | - |
19 | | - # Allow manual invocation. |
20 | 26 | workflow_dispatch: |
21 | 27 |
|
22 | | -# Declare default permissions as read only. |
23 | 28 | permissions: read-all |
24 | 29 |
|
25 | | -# Cancel any previously-started but still active runs on the same branch. |
26 | 30 | concurrency: |
27 | 31 | cancel-in-progress: true |
28 | 32 | group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} |
29 | 33 |
|
30 | 34 | jobs: |
31 | | - scorecard: |
32 | | - name: Perform Scorecard analysis |
33 | | - runs-on: ubuntu-22.04 |
34 | | - timeout-minutes: 10 |
| 35 | + run-scorecard: |
| 36 | + # Skip fork PRs to avoid "Analysis configuration not found" errors. |
| 37 | + if: >- |
| 38 | + github.repository_owner == 'quantumlib' && |
| 39 | + (github.event_name != 'pull_request' || |
| 40 | + github.event.pull_request.head.repo.fork == false) |
| 41 | + name: Scorecard analyzer |
| 42 | + runs-on: ubuntu-24.04 |
35 | 43 | permissions: |
36 | | - # Needed to upload the results to the code-scanning dashboard. |
37 | 44 | security-events: write |
38 | | - # Needed to publish results and get a badge (see publish_results below). |
39 | 45 | id-token: write |
| 46 | + timeout-minutes: 15 |
40 | 47 | steps: |
41 | 48 | - name: Check out a copy of the git repository |
42 | | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
| 49 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
43 | 50 | with: |
44 | 51 | persist-credentials: false |
45 | 52 |
|
46 | 53 | - name: Run Scorecard analysis |
47 | | - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 |
| 54 | + # yamllint disable rule:line-length |
| 55 | + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 |
48 | 56 | with: |
49 | | - # Save the results |
50 | | - results_file: results.sarif |
| 57 | + results_file: scorecard-results.sarif |
51 | 58 | results_format: sarif |
52 | | - |
53 | | - # Publish results to OpenSSF REST API. |
54 | | - # See https://github.com/ossf/scorecard-action#publishing-results. |
55 | 59 | publish_results: true |
56 | 60 |
|
57 | 61 | - name: Upload results to code-scanning dashboard |
58 | | - uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3 |
| 62 | + # yamllint disable rule:line-length |
| 63 | + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 |
59 | 64 | with: |
60 | | - sarif_file: results.sarif |
| 65 | + sarif_file: scorecard-results.sarif |
| 66 | + |
| 67 | + # Scorecard doesn't allow submissions from jobs having steps that use "run:". |
| 68 | + # Printing a summary needs to use "run:", so we have to use a separate job. |
| 69 | + write-summary: |
| 70 | + name: Scorecard results |
| 71 | + needs: run-scorecard |
| 72 | + runs-on: ubuntu-slim |
| 73 | + timeout-minutes: 5 |
| 74 | + steps: |
| 75 | + - name: Write the Scorecard report page link to the workflow summary |
| 76 | + run: | |
| 77 | + repo="${{github.repository}}" |
| 78 | + url="https://scorecard.dev/viewer/?uri=github.com/${repo}" |
| 79 | + { |
| 80 | + echo -n "The results are available on the OpenSSF Scorecard " |
| 81 | + echo "[report page for ${{github.repository}}]($url)." |
| 82 | + } >> "$GITHUB_STEP_SUMMARY" |
0 commit comments