首页 发现 帮助
登录
zhang_STEM
/
video-pc
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
分支: master
分支列表 标签列表
video-pc
/
libs
/
fmt
/
.github
/
workflows
/
scorecard.yml

scorecard.yml 2.6 KB
永久链接 文件历史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. # This workflow uses actions that are not certified by GitHub. They are provided
    2. 

  2. # by a third-party and are governed by separate terms of service, privacy
    3. 

  3. # policy, and support documentation.
    4. 

  4. 

  5. name: Scorecard supply-chain security
    6. 

  6. on:
    7. 

  7.   # For Branch-Protection check. Only the default branch is supported. See
    8. 

  8.   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
    9. 

  9.   branch_protection_rule:
    10. 

  10.   # To guarantee Maintained check is occasionally updated. See
    11. 

  11.   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
    12. 

  12.   schedule:
    13. 

  13.     - cron: '26 14 * * 5'
    14. 

  14.   push:
    15. 

  15.     branches: [ "master" ]
    16. 

  16. 

  17. # Declare default permissions as read only.
    18. 

  18. permissions: read-all
    19. 

  19. 

  20. jobs:
    21. 

  21.   analysis:
    22. 

  22.     name: Scorecard analysis
    23. 

  23.     runs-on: ubuntu-latest
    24. 

  24.     permissions:
    25. 

  25.       # Needed to upload the results to code-scanning dashboard.
    26. 

  26.       security-events: write
    27. 

  27.       # Needed to publish results and get a badge (see publish_results below).
    28. 

  28.       id-token: write
    29. 

  29. 

  30.     steps:
    31. 

  31.       - name: "Checkout code"
    32. 

  32.         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
    33. 

  33.         with:
    34. 

  34.           persist-credentials: false
    35. 

  35. 

  36.       - name: "Run analysis"
    37. 

  37.         uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
    38. 

  38.         with:
    39. 

  39.           results_file: results.sarif
    40. 

  40.           results_format: sarif
    41. 

  41.           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
    42. 

  42.           # - you want to enable the Branch-Protection check on a *public* repository, or
    43. 

  43.           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
    44. 

  44.           # repo_token: ${{ secrets.SCORECARD_TOKEN }}
    45. 

  45. 

  46.           # Public repositories:
    47. 

  47.           #   - Publish results to OpenSSF REST API for easy access by consumers
    48. 

  48.           #   - Allows the repository to include the Scorecard badge.
    49. 

  49.           #   - See https://github.com/ossf/scorecard-action#publishing-results.
    50. 

  50.           publish_results: true
    51. 

  51. 

  52.       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
    53. 

  53.       # format to the repository Actions tab.
    54. 

  54.       - name: "Upload artifact"
    55. 

  55.         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
    56. 

  56.         with:
    57. 

  57.           name: SARIF file
    58. 

  58.           path: results.sarif
    59. 

  59.           retention-days: 5
    60. 

  60. 

  61.       # Upload the results to GitHub's code scanning dashboard.
    62. 

  62.       - name: "Upload to code-scanning"
    63. 

  63.         uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
    64. 

  64.         with:
    65. 

  65.           sarif_file: results.sarif
    66.