SPIRV-Tools/.github/workflows/scorecard.yml

name: Scorecard supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '36 17 * * 5'
  push:
    branches: [ "main" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      security-events: write # to upload the results to code-scanning dashboard
      id-token: write # to publish results and get a badge

    steps:
      - name: "Checkout code"
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
        with:
          results_file: results.sarif
          results_format: sarif
          # To enable Branch-Protection uncomment the `repo_token` line below
          # To create the Fine-grained PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
          publish_results: true # allows the repo to include the Scorecard badge

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
        with:
          sarif_file: results.sarif
Enable OpenSSF Scorecard and Badge (#5377) * Create scorecard.yml Signed-off-by: Joyce <joycebrum@google.com> * Update README.md Signed-off-by: Joyce <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> 2023-08-30 17:47:06 +00:00			`name: Scorecard supply-chain security`
			`on:`
			`# For Branch-Protection check. Only the default branch is supported. See`
			`# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection`
			`branch_protection_rule:`
			`# To guarantee Maintained check is occasionally updated. See`
			`# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained`
			`schedule:`
			`- cron: '36 17 * * 5'`
			`push:`
			`branches: [ "main" ]`

			`# Declare default permissions as read only.`
			`permissions: read-all`

			`jobs:`
			`analysis:`
			`name: Scorecard analysis`
			`runs-on: ubuntu-latest`
			`permissions:`
			`security-events: write # to upload the results to code-scanning dashboard`
			`id-token: write # to publish results and get a badge`

			`steps:`
			`- name: "Checkout code"`
build(deps): bump the github-actions group across 1 directory with 4 updates (#5734) Bumps the github-actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [lukka/get-cmake](https://github.com/lukka/get-cmake), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) Updates `lukka/get-cmake` from 3.29.4 to 3.30.0 - [Release notes](https://github.com/lukka/get-cmake/releases) - [Commits](https://github.com/lukka/get-cmake/compare/85652a37b177d946c9f4fad0f696b2927ee7754d...983956e4a5edce90f0dfcc38c1543077e668402b) Updates `actions/upload-artifact` from 4.3.3 to 4.3.4 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b) Updates `github/codeql-action` from 3.25.8 to 3.25.12 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2e230e8fe0ad3a14a340ad0815ddb96d599d2aff...4fa2a7953630fd2f3fb380f21be14ede0169dd4f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: lukka/get-cmake dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-07-16 00:48:59 +00:00			`uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7`
Enable OpenSSF Scorecard and Badge (#5377) * Create scorecard.yml Signed-off-by: Joyce <joycebrum@google.com> * Update README.md Signed-off-by: Joyce <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> 2023-08-30 17:47:06 +00:00			`with:`
			`persist-credentials: false`

			`- name: "Run analysis"`
--- (#5679) updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: lukka/get-cmake dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-05-21 14:09:12 +00:00			`uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3`
Enable OpenSSF Scorecard and Badge (#5377) * Create scorecard.yml Signed-off-by: Joyce <joycebrum@google.com> * Update README.md Signed-off-by: Joyce <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> 2023-08-30 17:47:06 +00:00			`with:`
			`results_file: results.sarif`
			`results_format: sarif`
			# To enable Branch-Protection uncomment the `repo_token` line below
			`# To create the Fine-grained PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.`
			`# repo_token: ${{ secrets.SCORECARD_TOKEN }}`
			`publish_results: true # allows the repo to include the Scorecard badge`

			`# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF`
			`# format to the repository Actions tab.`
			`- name: "Upload artifact"`
build(deps): bump the github-actions group across 1 directory with 4 updates (#5734) Bumps the github-actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [lukka/get-cmake](https://github.com/lukka/get-cmake), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) Updates `lukka/get-cmake` from 3.29.4 to 3.30.0 - [Release notes](https://github.com/lukka/get-cmake/releases) - [Commits](https://github.com/lukka/get-cmake/compare/85652a37b177d946c9f4fad0f696b2927ee7754d...983956e4a5edce90f0dfcc38c1543077e668402b) Updates `actions/upload-artifact` from 4.3.3 to 4.3.4 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b) Updates `github/codeql-action` from 3.25.8 to 3.25.12 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2e230e8fe0ad3a14a340ad0815ddb96d599d2aff...4fa2a7953630fd2f3fb380f21be14ede0169dd4f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: lukka/get-cmake dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-07-16 00:48:59 +00:00			`uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4`
Enable OpenSSF Scorecard and Badge (#5377) * Create scorecard.yml Signed-off-by: Joyce <joycebrum@google.com> * Update README.md Signed-off-by: Joyce <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> 2023-08-30 17:47:06 +00:00			`with:`
			`name: SARIF file`
			`path: results.sarif`
			`retention-days: 5`

			`# Upload the results to GitHub's code scanning dashboard.`
			`- name: "Upload to code-scanning"`
build(deps): bump the github-actions group with 2 updates (#5744) Bumps the github-actions group with 2 updates: [lukka/get-cmake](https://github.com/lukka/get-cmake) and [github/codeql-action](https://github.com/github/codeql-action). Updates `lukka/get-cmake` from 3.30.0 to 3.30.1 - [Release notes](https://github.com/lukka/get-cmake/releases) - [Commits](https://github.com/lukka/get-cmake/compare/983956e4a5edce90f0dfcc38c1543077e668402b...34181361be075620f7c3871daa1cadb92d9a903e) Updates `github/codeql-action` from 3.25.12 to 3.25.13 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4fa2a7953630fd2f3fb380f21be14ede0169dd4f...2d790406f505036ef40ecba973cc774a50395aac) --- updated-dependencies: - dependency-name: lukka/get-cmake dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-07-22 13:34:13 +00:00			`uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13`
Enable OpenSSF Scorecard and Badge (#5377) * Create scorecard.yml Signed-off-by: Joyce <joycebrum@google.com> * Update README.md Signed-off-by: Joyce <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> 2023-08-30 17:47:06 +00:00			`with:`
			`sarif_file: results.sarif`