63 lines · yaml
1# This workflow uses actions that are not certified by GitHub. They are provided2# by a third-party and are governed by separate terms of service, privacy3# policy, and support documentation.4 5# Check current LLVM-Project results here: https://securityscorecards.dev/viewer/?uri=github.com/llvm/llvm-project6 7name: Scorecard supply-chain security8on:9 # For Branch-Protection check. Only the default branch is supported. See10 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection11 branch_protection_rule:12 # To guarantee Maintained check is occasionally updated. See13 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained14 schedule:15 - cron: '38 20 * * *'16 17# Declare default permissions as read only.18permissions:19 contents: read20 21jobs:22 analysis:23 name: Scorecard analysis24 runs-on: ubuntu-24.0425 if: github.repository == 'llvm/llvm-project'26 permissions:27 # Needed to upload the results to code-scanning dashboard.28 security-events: write29 # Needed to publish results and get a badge (see publish_results below).30 id-token: write 31 32 steps:33 - name: "Checkout code"34 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.035 with:36 persist-credentials: false37 38 - name: "Run analysis"39 uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.340 with:41 results_file: results.sarif42 results_format: sarif43 44 # - Publish results to OpenSSF REST API for easy access by consumers45 # - Allows the repository to include the Scorecard badge.46 # - See https://github.com/ossf/scorecard-action#publishing-results. 47 publish_results: true48 49 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF50 # format to the repository Actions tab.51 - name: "Upload artifact"52 uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.053 with:54 name: SARIF file55 path: results.sarif56 retention-days: 557 58 # Upload the results to GitHub's code scanning dashboard.59 - name: "Upload to code-scanning"60 uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.561 with:62 sarif_file: results.sarif63