external-secrets/.github/workflows/scorecard.yml

name: Scorecard supply-chain security
on:
  branch_protection_rule:
  schedule:
    - cron: '27 2 * * 3'
  push:
    branches: [ "main" ]

permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Needed to publish results and get a badge (see publish_results below).
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
        with:
          sarif_file: results.sarif
Create OSSF scorecard job (#3032) * Create scorecard.yml Adds a scorecard workflow to regularly check the repo. See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge Signed-off-by: Moritz Johner <moolen@users.noreply.github.com> 2024-01-18 20:03:07 +00:00			`name: Scorecard supply-chain security`
			`on:`
			`branch_protection_rule:`
			`schedule:`
			`- cron: '27 2 * * 3'`
			`push:`
			`branches: [ "main" ]`

			`permissions: read-all`

			`jobs:`
			`analysis:`
			`name: Scorecard analysis`
			`runs-on: ubuntu-latest`
			`permissions:`
			`# Needed to upload the results to code-scanning dashboard.`
			`security-events: write`
			`# Needed to publish results and get a badge (see publish_results below).`
			`id-token: write`

			`steps:`
			`- name: "Checkout code"`
chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#4045) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> 2024-10-29 08:45:25 +00:00			`uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2`
Create OSSF scorecard job (#3032) * Create scorecard.yml Adds a scorecard workflow to regularly check the repo. See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge Signed-off-by: Moritz Johner <moolen@users.noreply.github.com> 2024-01-18 20:03:07 +00:00			`with:`
			`persist-credentials: false`

			`- name: "Run analysis"`
chore(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 (#3727) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-07-29 08:24:31 +00:00			`uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0`
Create OSSF scorecard job (#3032) * Create scorecard.yml Adds a scorecard workflow to regularly check the repo. See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge Signed-off-by: Moritz Johner <moolen@users.noreply.github.com> 2024-01-18 20:03:07 +00:00			`with:`
			`results_file: results.sarif`
			`results_format: sarif`
			`publish_results: true`

			`# Upload the results to GitHub's code scanning dashboard.`
			`- name: "Upload to code-scanning"`
chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6 (#4188) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.5 to 3.27.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f09c1c0a94de965c15400f5634aa42fac8fb8f88...aa578102511db1f4524ed59b8cc2bae4f6e88195) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-12-09 09:52:42 +00:00			`uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6`
Create OSSF scorecard job (#3032) * Create scorecard.yml Adds a scorecard workflow to regularly check the repo. See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge Signed-off-by: Moritz Johner <moolen@users.noreply.github.com> 2024-01-18 20:03:07 +00:00			`with:`
			`sarif_file: results.sarif`