ci(github): Run OpenSSF Scorecard analysis

Note that the `scorecard-action` does not currently offer conventional major-version-only tags, so the concrete version needs to be hard-coded. Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
oss-review-toolkit · Jul 11, 2024 · 113a44d · 113a44d
1 parent bdaf216
commit 113a44d
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -114,3 +114,25 @@ jobs:
       run: |
         pip install --user reuse
         ~/.local/bin/reuse lint
+  scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for SARIF scanning upload.
+      security-events: write
+      # Needed for GitHub OIDC token if `publish_results` is true.
+      id-token: write
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Run Analysis
+      uses: ossf/scorecard-action@v2.3.3
+      with:
+        results_file: ossf-results.sarif
+        results_format: sarif
+        publish_results: true
+    - name: Upload Code Scanning Results
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ossf-results.sarif