puppeteer/.github/workflows/scorecards-analysis.yml

name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '23 8 * * 6'
  push:
    branches: [main]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      actions: read
      contents: read

    steps:
      - name: 'Checkout code'
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
        with:
          persist-credentials: false

      - name: 'Run analysis'
        uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.2
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          publish_results: true

      # Upload the results as artifacts (optional).
      - name: 'Upload artifact'
        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub’s code scanning dashboard.
      - name: 'Upload to code-scanning'
        uses: github/codeql-action/upload-sarif@d39d5d5c9707b926d517b1b292905ef4c03aa777 # v1.0.26
        with:
          sarif_file: results.sarif
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								name: Scorecards supply-chain security
 								on:
 								  # Only the default branch is supported.
 								  branch_protection_rule:
 								  schedule:
 								    - cron: '23 8 * * 6'
 								  push:
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								    branches: [main]
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
 								# Declare default permissions as read only.
 								permissions: read-all
 								jobs:
 								  analysis:
 								    name: Scorecards analysis
 								    runs-on: ubuntu-latest
 								    permissions:
 								      # Needed to upload the results to code-scanning dashboard.
 								      security-events: write
 								      actions: read
 								      contents: read
 								    steps:
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Checkout code'
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
 								        with:
 								          persist-credentials: false
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Run analysis'
-												chore(deps): bump ossf/scorecard-action from 1.0.3 to 1.0.4 (#8035)

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](https://github.com/ossf/scorecard-action/compare/b614d455ee90608b5e36e3299cd50d457eb37d5f...c1aec4ac820532bab364f02a81873c555a0ba3a1)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2022-02-18 07:57:09 +00:00
+								        uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.2
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          results_file: results.sarif
 								          results_format: sarif
 								          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 								          # Publish the results to enable scorecard badges. For more details, see
 								          # https://github.com/ossf/scorecard-action#publishing-results.
 								          publish_results: true
 								      # Upload the results as artifacts (optional).
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Upload artifact'
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
 								        with:
 								          name: SARIF file
 								          path: results.sarif
 								          retention-days: 5
 								      # Upload the results to GitHub’s code scanning dashboard.
-												chore: update prettier globs and format files (#7856)

* chore: update prettier globs and format files

* fix: remove reference to Markdownlint
											
										
										
											2022-02-11 19:29:43 +00:00
+								      - name: 'Upload to code-scanning'
-												chore(deps): bump github/codeql-action from 1.1.0 to 1.1.2 (#8034)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.1.0 to 1.1.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/474bbf07f9247ffe1856c6a0f94aeeb10e7afee6...d39d5d5c9707b926d517b1b292905ef4c03aa777)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
											
										
										
											2022-02-18 08:21:36 +00:00
+								        uses: github/codeql-action/upload-sarif@d39d5d5c9707b926d517b1b292905ef4c03aa777 # v1.0.26
-												chore: set up ossf/scorecard-action (#7953)


											
										
										
											2022-02-01 08:55:58 +00:00
+								        with:
 								          sarif_file: results.sarif