Skip to content

ci(security): OpenSSF Scorecard workflow + README badge (T8)#65

Merged
valdacf merged 2 commits into
mainfrom
security/t8-scorecard
Jun 22, 2026
Merged

ci(security): OpenSSF Scorecard workflow + README badge (T8)#65
valdacf merged 2 commits into
mainfrom
security/t8-scorecard

Conversation

@valdacf

@valdacf valdacf commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds the OpenSSF Scorecard workflow (plan task T8) — the public supply-chain credibility metric for this repo — plus the README badge.

  • .github/workflows/scorecard.ymlossf/scorecard-action v2.4.3 (SHA-pinned, ADR-015). Triggers: branch_protection_rule, weekly cron (Mon 06:42 UTC), push main, and pull_request.
  • Top-level permissions: read-all; analysis job widens only security-events: write (SARIF → Security tab) + id-token: write (OIDC for publish_results).
  • publish_results gated to non-PR runs — the public score must come from the default branch; PR runs exist only to prove the workflow is green.
  • README OpenSSF Scorecard badge → scorecard.dev.
  • Docs: docs/development/ci.md (workflow table + section).

Also in this PR (docs only)

Ticks T9 (branch protection on main) and T11 (secret scanning + push protection) in docs/plans/2026-06-18-security-hardening.md. Both were applied as repo-settings changes via gh api (the plan's "PR A") — no code, so only the plan checkboxes change here.

Verification

  • scorecard.yml YAML validated; all uses: refs SHA-pinned with # vX.Y.Z comments (ADR-015).
  • Scorecard + the 5 required checks run on this PR; full publish/score happens post-merge on main.

🤖 Generated with Claude Code

valdacf and others added 2 commits June 22, 2026 13:54
@valdacf @claude
ci(security): add OpenSSF Scorecard workflow + README badge (T8)
fdb1b97 
Add `.github/workflows/scorecard.yml` running `ossf/scorecard-action` v2.4.3
(SHA-pinned per ADR-015) on branch_protection_rule + weekly cron + push main +
pull_request. Top-level `permissions: read-all`; the analysis job widens only
`security-events: write` (SARIF -> Security tab) and `id-token: write` (OIDC for
publish_results). publish_results is gated to non-PR runs so the public score
comes from the default branch; PR runs only verify the workflow is green.

Add the Scorecard badge to README and document the workflow in
docs/development/ci.md.

Also ticks T9 (branch protection on main) and T11 (secret scanning + push
protection) in the security-hardening plan — both applied via `gh api` as
repo-settings changes (PR A), no code.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@valdacf @claude
docs(plan): reference PR #65 for T8
d85c5ca 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-advanced-security

github-advanced-security AI commented Jun 22, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@valdacf valdacf merged commit e87897c into main Jun 22, 2026
8 checks passed
@valdacf valdacf deleted the security/t8-scorecard branch June 22, 2026 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@valdacf @github-advanced-security