Skip to content

Create scorecard.yml #2203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 14, 2025
Merged

Create scorecard.yml #2203

merged 2 commits into from
May 14, 2025

Conversation

kotakanbe
Copy link
Member

@kotakanbe kotakanbe commented May 9, 2025
edited
Loading

Add a GitHub Actions workflow (ossf/scorecard-action@v2 with a read-only PAT) to generate a complete OSSF Scorecard and resolve the Branch-Protection “?” score.
https://scorecard.dev/viewer/?uri=github.com%2Ffuture-architect%2Fvuls

Executed exactly as per the instructions in the OSSF Scorecard Action marketplace guide.
https://github.com/marketplace/actions/ossf-scorecard-action

Security enhancements:

  • Added a new workflow file .github/workflows/scorecard.yml to perform supply-chain security analysis using the OpenSSF Scorecard action. This includes checks for branch protection and maintenance updates.
  • Configured the workflow to run on the default branch and on a schedule, with permissions set to read-all by default and additional permissions for security events and ID tokens as needed.
  • Integrated steps to:
    • Checkout the repository code using actions/checkout (v4.2.2).
    • Run the Scorecard analysis using ossf/scorecard-action (v2.4.1), with support for SARIF results and optional publishing of results for public repositories.
    • Upload SARIF results as artifacts and to GitHub's code scanning dashboard for enhanced visibility.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

not tested

Checklist:

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

@kotakanbe kotakanbe requested review from Copilot, shino and MaineK00n May 9, 2025 01:46
Copilot
Copilot AI reviewed May 9, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds a new GitHub Actions workflow to perform a supply-chain security analysis using the OSSF Scorecard action.

  • Adds a workflow file to trigger branch-protection and maintenance checks via scheduled runs and pushes.
  • Configures steps to checkout the repository, run the Scorecard analysis, and upload SARIF results as artifacts and to GitHub's code scanning dashboard.

@shino shino force-pushed the kotakanbe-patch-1 branch from 4d8fc31 to 5cb9f11 Compare May 9, 2025 03:21
shino
shino approved these changes May 9, 2025
View reviewed changes
Copy link
Collaborator

@shino shino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🍻

@shino shino force-pushed the kotakanbe-patch-1 branch from 5cb9f11 to 611e502 Compare May 9, 2025 04:53
@kotakanbe kotakanbe merged commit 203bc80 into master May 14, 2025
7 checks passed
@kotakanbe kotakanbe deleted the kotakanbe-patch-1 branch May 14, 2025 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@shino shino shino approved these changes

@MaineK00n MaineK00n Awaiting requested review from MaineK00n

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kotakanbe @shino