Skip to content

fix: add scorecards permissions and update README for org-level secrets #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cuioss-oliver merged 1 commit into from
Feb 3, 2026
Merged

fix: add scorecards permissions and update README for org-level secrets #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion .github/workflows/scorecards.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Example: Copy this to your repo as .github/workflows/scorecards.yml
# Calls reusable scorecards workflow from cuioss-organization
name: Scorecard supply-chain security

on:
Expand All @@ -8,7 +8,18 @@ on:
push:
branches: [main]

permissions:
contents: read

jobs:
analysis:
uses: cuioss/cuioss-organization/.github/workflows/reusable-scorecards.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0
permissions:
security-events: write
id-token: write
contents: read
actions: read
issues: read
pull-requests: read
checks: read
secrets: inherit
20 changes: 1 addition & 19 deletions README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,25 +68,7 @@ The key must *not* contain spaces. They are used for creating urls as well.

=== Credentials

Add the necessary credentials to the project: "Settings" -> "Secrets" -> "Actions", as there are:

* `GPG_PASSPHRASE` -> Code Signing
* `GPG_PRIVATE_KEY` -> Code Signing
* `OSS_SONATYPE_PASSWORD` -> Deploy to maven-central
* `OSS_SONATYPE_USERNAME` -> Deploy to maven-central
* `PAGES_DEPLOY_TOKEN` -> Deploying the result of maven site to https://cuioss.github.io
* `SONAR_TOKEN` -> Sonar-Cloud

They are picked up in the predefined pipeline-configurations:

* `.github/workflows/maven.yml`
* `.github/workflows/maven-release.yml`

Ensure that the actions are authorized correctly: Settings > Actions > General > Workflow permissions > "Read and write permissions" must be selected *not* "Read repository contents permission"

Documentation on how to create a signing key can be found https://github.com/cuioss/cui-parent-pom/blob/master/doc/signing_key.adoc[Documentation at cui-parent-pom]

A sonar token can be derived from https://sonarcloud.io/account/security
All secrets (GPG, Sonatype, Sonar, Pages, Release App) are managed at the https://github.com/cuioss/cuioss-organization[cuioss organization level] and inherited automatically via `secrets: inherit` in the reusable workflows. No repo-level secrets need to be configured.

=== Further Steps

Expand Down