Skip to content

ci: improve OpenSSF Scorecard compliance#228

Merged
rhuanbarreto merged 3 commits into
mainfrom
fix/scorecard-env
Apr 26, 2026
Merged

ci: improve OpenSSF Scorecard compliance#228
rhuanbarreto merged 3 commits into
mainfrom
fix/scorecard-env

Conversation

@rhuanbarreto

@rhuanbarreto rhuanbarreto commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes the OpenSSF Scorecard workflow failure and addresses all actionable findings from the first scan.

Scorecard workflow fix

Token-Permissions (0 → 10)

  • release-binaries.yml: move contents: write from top-level to job-level
  • release.yml: move all permissions from top-level to job-level, scoped per job:
    • check: contents: read only (uses app token for writes)
    • pull-request: actions, contents, pull-requests, statuses: write
    • release: contents: write, id-token: write (npm provenance)

Branch-Protection

  • Add .github/CODEOWNERS — the org ruleset requires codeowner review but no CODEOWNERS file existed

Pinned-Dependencies and Dependency-Update-Tool are handled by Renovate.

Test plan

The scorecard-action rejects workflows with global `env` or `defaults`
blocks as a security measure. The `ARCHGATE_TELEMETRY` var is not
needed in this workflow since no archgate CLI runs here.
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Apr 26, 2026

Copy link
Copy Markdown

Deploying archgate-cli with  Cloudflare Pages  Cloudflare Pages

Latest commit: 7223518
Status: ✅  Deploy successful!
Preview URL: https://135241e2.archgate-cli.pages.dev
Branch Preview URL: https://fix-scorecard-env.archgate-cli.pages.dev

View logs

- release-binaries.yml: move `contents: write` to job-level
- release.yml: move all permissions to job-level, scoped per job:
  - check: `contents: read` (uses app token for writes)
  - pull-request: `actions/contents/pull-requests/statuses: write`
  - release: `contents: write`, `id-token: write` (npm provenance)
- Add CODEOWNERS for Branch-Protection codeowner review check

Improves OpenSSF Scorecard Token-Permissions and Branch-Protection.
@rhuanbarreto rhuanbarreto changed the title fix(ci): remove global env block from scorecard workflow ci: improve OpenSSF Scorecard compliance Apr 26, 2026
@rhuanbarreto rhuanbarreto merged commit 107288f into main Apr 26, 2026
9 checks passed
@rhuanbarreto rhuanbarreto deleted the fix/scorecard-env branch April 26, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant