brintos

brintos / llvm-project-archived public Read only

0
0
Text · 2.3 KiB · 95aa8b5 Raw
63 lines · yaml
1# This workflow uses actions that are not certified by GitHub. They are provided2# by a third-party and are governed by separate terms of service, privacy3# policy, and support documentation.4 5# Check current LLVM-Project results here: https://securityscorecards.dev/viewer/?uri=github.com/llvm/llvm-project6 7name: Scorecard supply-chain security8on:9  # For Branch-Protection check. Only the default branch is supported. See10  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection11  branch_protection_rule:12  # To guarantee Maintained check is occasionally updated. See13  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained14  schedule:15    - cron: '38 20 * * *'16 17# Declare default permissions as read only.18permissions:19  contents: read20 21jobs:22  analysis:23    name: Scorecard analysis24    runs-on: ubuntu-24.0425    if: github.repository == 'llvm/llvm-project'26    permissions:27      # Needed to upload the results to code-scanning dashboard.28      security-events: write29      # Needed to publish results and get a badge (see publish_results below).30      id-token: write      31 32    steps:33      - name: "Checkout code"34        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.035        with:36          persist-credentials: false37 38      - name: "Run analysis"39        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.340        with:41          results_file: results.sarif42          results_format: sarif43 44          #   - Publish results to OpenSSF REST API for easy access by consumers45          #   - Allows the repository to include the Scorecard badge.46          #   - See https://github.com/ossf/scorecard-action#publishing-results.      47          publish_results: true48 49      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF50      # format to the repository Actions tab.51      - name: "Upload artifact"52        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.053        with:54          name: SARIF file55          path: results.sarif56          retention-days: 557 58      # Upload the results to GitHub's code scanning dashboard.59      - name: "Upload to code-scanning"60        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.561        with:62          sarif_file: results.sarif63