Skip to content

Run Scorecard best-practices analyzer #148

Run Scorecard best-practices analyzer

Run Scorecard best-practices analyzer #148

# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Zero-configuration modular workflow to run the OSSF Scorecard scanner.
#
# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool
# that evaluates a project's security practices. Its use is suggested by
# Google's GitHub team. Scorecard's findings are reported in a repo's scanning
# results page, https://github.com/quantumlib/REPO/security/code-scanning/.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
name: Scorecard analysis
run-name: Run Scorecard best-practices analyzer ${{inputs.reason}}
on:
pull_request:
types: [opened, synchronize]
branches:
- main
# Support merge queues.
merge_group:
types:
- checks_requested
# Allow calling from nightly.yaml.
workflow_call:
inputs:
reason:
description: 'Append text to workflow run name:'
type: string
debug:
description: 'Run with debugging options'
type: boolean
default: false
# Allow manual invocation.
workflow_dispatch:
inputs:
debug:
description: 'Run with debugging options'
type: boolean
default: true
# Declare default workflow permissions as read only.
permissions: read-all
jobs:
scorecard:
if: github.repository_owner == 'quantumlib'
name: Run Scorecard analyzer
runs-on: ubuntu-24.04
permissions:
actions: read
contents: read
security-events: write
timeout-minutes: 15
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
persist-credentials: false
- name: Run Scorecard analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
# Save the results
results_file: scorecard-results.sarif
results_format: sarif
# Publish results to OpenSSF REST API.
# See https://github.com/ossf/scorecard-action#publishing-results.
publish_results: true
- name: Upload results to code-scanning dashboard
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v3.29.5
with:
sarif_file: scorecard-results.sarif
- if: github.event.inputs.debug == true
name: Upload results as artifacts to the workflow Summary page
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5