From 348ff6a2c0ed3290816b05fe513db26855f64c29 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Sun, 26 Apr 2026 17:14:40 +0200 Subject: [PATCH] ci: add OpenSSF Scorecard workflow Runs weekly and on push to main. Publishes results to scorecard.dev and uploads SARIF to the GitHub Security tab. --- .github/workflows/scorecard.yml | 48 +++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..b30b6bc1 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,48 @@ +name: OpenSSF Scorecard + +on: + push: + branches: + - main + schedule: + # Weekly Monday 06:15 UTC + - cron: "15 6 * * 1" + workflow_dispatch: + +permissions: read-all + +env: + ARCHGATE_TELEMETRY: "0" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + analysis: + name: Scorecard Analysis + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + security-events: write + id-token: write + contents: read + actions: read + + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + + - name: Run OpenSSF Scorecard + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload SARIF to GitHub Security tab + uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17 + with: + sarif_file: results.sarif