puppeteer/.github/workflows/scorecards-analysis.yml

name: Scorecards supply-chain security

on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '23 8 * * 6'
  push:
    branches: [main]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      actions: read
      contents: read

    steps:
      - name: 'Checkout code'
        uses: actions/checkout@v3 # v2.4.0
        with:
          persist-credentials: false

      - name: 'Run analysis'
        uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 # v1.0.2
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          publish_results: true

      # Upload the results as artifacts (optional).
      - name: 'Upload artifact'
        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2.3.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub’s code scanning dashboard.
      - name: 'Upload to code-scanning'
        uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03 # v1.0.26
        with:
          sarif_file: results.sarif
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								name: Scorecards supply-chain security
-												chore: rename actions

											
										
										
											2022-05-31 12:55:46 +00:00
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								on:
 								  # Only the default branch is supported.
 								  branch_protection_rule:
 								  schedule:
 								    - cron: '23 8 * * 6'
 								  push:
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								    branches: [main]
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
 								# Declare default permissions as read only.
 								permissions: read-all
 								jobs:
 								  analysis:
 								    name: Scorecards analysis
 								    runs-on: ubuntu-latest
 								    permissions:
 								      # Needed to upload the results to code-scanning dashboard.
 								      security-events: write
 								      actions: read
 								      contents: read
 								    steps:
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Checkout code'
-												chore(deps): bump actions/checkout from 2 to 3 (#8089)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2022-03-02 08:30:11 +00:00
+								        uses: actions/checkout@v3 # v2.4.0
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          persist-credentials: false
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Run analysis'
-												chore(deps): bump ossf/scorecard-action from 1.1.1 to 1.1.2 (#8592)

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.1.1 to 1.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/3e15ea8318eee9b333819ec77a36aca8d39df13e...ce330fde6b1a5c9c75b417e7efc510b822a35564)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2022-06-28 12:56:29 +00:00
+								        uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 # v1.0.2
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          results_file: results.sarif
 								          results_format: sarif
 								          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 								          # Publish the results to enable scorecard badges. For more details, see
 								          # https://github.com/ossf/scorecard-action#publishing-results.
 								          publish_results: true
 								      # Upload the results as artifacts (optional).
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Upload artifact'
-												chore(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 (#8396)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/6673cd052c4cd6fcf4b4e6e60ea986c889389535...3cea5372237819ed00197afe530f5a7ea3e805c8)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2022-05-31 13:52:18 +00:00
+								        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2.3.1
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          name: SARIF file
 								          path: results.sarif
 								          retention-days: 5
 								      # Upload the results to GitHub’s code scanning dashboard.
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Upload to code-scanning'
-												chore(deps): bump github/codeql-action from 2.1.12 to 2.1.17 (#8709)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.12 to 2.1.17.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/27ea8f8fe5977c00f5b37e076ab846c5bd783b96...0c670bbf0414f39666df6ce8e718ec5662c21e03)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2022-08-01 13:15:34 +00:00
+								        uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03 # v1.0.26
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          sarif_file: results.sarif