puppeteer/.github/workflows/scorecards-analysis.yml

name: Scorecards supply-chain security

on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '23 8 * * 6'
  push:
    branches: [main]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      actions: read
      contents: read
      # Needed to access OIDC token.
      id-token: write

    steps:
      - name: Check out repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false

      - name: 'Run analysis'
        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          publish_results: true

      # Upload the results as artifacts (optional).
      - name: 'Upload artifact'
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub’s code scanning dashboard.
      - name: 'Upload to code-scanning'
        uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
        with:
          sarif_file: results.sarif
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								name: Scorecards supply-chain security
-												chore: rename actions

											
										
										
											2022-05-31 12:55:46 +00:00
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								on:
 								  # Only the default branch is supported.
 								  branch_protection_rule:
 								  schedule:
 								    - cron: '23 8 * * 6'
 								  push:
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								    branches: [main]
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
 								# Declare default permissions as read only.
 								permissions: read-all
 								jobs:
 								  analysis:
 								    name: Scorecards analysis
 								    runs-on: ubuntu-latest
 								    permissions:
 								      # Needed to upload the results to code-scanning dashboard.
 								      security-events: write
 								      actions: read
 								      contents: read
-												chore: add id-token permissions to scorecard-action (#8971)

See ossf/scorecard-action#900

Example failure with scorecard-action@2 https://github.com/puppeteer/puppeteer/actions/runs/3066712334/jobs/4952194627
											
										
										
											2022-09-19 06:24:16 +00:00
+								      # Needed to access OIDC token.
 								      id-token: write
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
 								    steps:
-												chore: pin checkout action (#9069)


											
										
										
											2022-10-06 10:44:45 +00:00
+								      - name: Check out repository
-												chore(deps): Bump the all group with 1 update (#11187)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2023-10-19 09:46:32 +00:00
+								        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          persist-credentials: false
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Run analysis'
-												chore(deps): Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#11096)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2023-10-09 06:56:39 +00:00
+								        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          results_file: results.sarif
 								          results_format: sarif
 								          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 								          # Publish the results to enable scorecard badges. For more details, see
 								          # https://github.com/ossf/scorecard-action#publishing-results.
 								          publish_results: true
 								      # Upload the results as artifacts (optional).
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Upload artifact'
-												chore(deps): Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10875)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2023-09-13 08:23:15 +00:00
+								        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          name: SARIF file
 								          path: results.sarif
 								          retention-days: 5
 								      # Upload the results to GitHub’s code scanning dashboard.
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Upload to code-scanning'
-												chore(deps): Bump the all group with 1 update (#11221)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2023-10-23 07:49:44 +00:00
+								        uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          sarif_file: results.sarif