suricata/.github/workflows/scorecards-analysis.yml

name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '28 22 * * 6'
  push:
    branches: [ master ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: "Run analysis"
        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Scorecard team runs a weekly scan of public GitHub repos,
          # see https://github.com/ossf/scorecard#public-data.
          # Setting `publish_results: true` helps us scale by leveraging your workflow to
          # extract the results instead of relying on our own infrastructure to run scans.
          # And it's free for you!
          publish_results: true

      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
      # Optional.
      - name: "Upload artifact"
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.1.2
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload SARIF results"
        uses: github/codeql-action/upload-sarif@baf3361f3137806df1a78c598d1256f83cb89a23 # v1
        with:
          sarif_file: results.sarif
ci: adds scorecard analysis GitHub workflow 3 years ago			`name: Scorecards supply-chain security`
			`on:`
			`# Only the default branch is supported.`
			`branch_protection_rule:`
			`schedule:`
			`- cron: '28 22 * * 6'`
			`push:`
			`branches: [ master ]`

github-ci: cancel previous job for all workflows Previously only enabled in build.yml, apply cancen-in-progress to all workflow files. 1 year ago			`concurrency:`
			`group: ${{ github.workflow }}-${{ github.ref }}`
			`cancel-in-progress: true`

ci: adds scorecard analysis GitHub workflow 3 years ago			`# Declare default permissions as read only.`
			`permissions: read-all`

			`jobs:`
			`analysis:`
			`name: Scorecards analysis`
			`runs-on: ubuntu-latest`
			`permissions:`
			`# Needed to upload the results to code-scanning dashboard.`
			`security-events: write`
ci: update scorecard analysis workflow 1 year ago			`id-token: write`
ci: adds scorecard analysis GitHub workflow 3 years ago
			`steps:`
			`- name: "Checkout code"`
ci: update scorecard analysis workflow 1 year ago			`uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1`
ci: adds scorecard analysis GitHub workflow 3 years ago
			`- name: "Run analysis"`
ci: update scorecard analysis workflow 1 year ago			`uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1`
ci: adds scorecard analysis GitHub workflow 3 years ago			`with:`
			`results_file: results.sarif`
			`results_format: sarif`
			`repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}`
ci: update scorecard analysis workflow 1 year ago			`# Scorecard team runs a weekly scan of public GitHub repos,`
			`# see https://github.com/ossf/scorecard#public-data.`
			# Setting `publish_results: true` helps us scale by leveraging your workflow to
			`# extract the results instead of relying on our own infrastructure to run scans.`
			`# And it's free for you!`
ci: adds scorecard analysis GitHub workflow 3 years ago			`publish_results: true`

ci: update scorecard analysis workflow 1 year ago			`# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts`
			`# Optional.`
ci: adds scorecard analysis GitHub workflow 3 years ago			`- name: "Upload artifact"`
github-ci: update {download,upload} artifact actions Multiple uploads can no longer use the same name, so give the cbindgen artifact its own name of "cbindgen". Requires an additional download for each build depending on this cbindgen artifact. 1 year ago			`uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.1.2`
ci: adds scorecard analysis GitHub workflow 3 years ago			`with:`
			`name: SARIF file`
			`path: results.sarif`
			`retention-days: 5`

			`# Upload the results to GitHub's code scanning dashboard.`
ci: update scorecard analysis workflow 1 year ago			`- name: "Upload SARIF results"`
github-actions: bump github/codeql-action from 3.24.5 to 3.24.6 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.5 to 3.24.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v3.24.5...v3.24.6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 1 year ago			`uses: github/codeql-action/upload-sarif@baf3361f3137806df1a78c598d1256f83cb89a23 # v1`
ci: adds scorecard analysis GitHub workflow 3 years ago			`with:`
			`sarif_file: results.sarif`