Skip to content

chore(ci): add OpenSSF Scorecard workflow#177

Closed
maw629 wants to merge 1 commit into
fastify:mainfrom
maw629:chore/ci-add-scorecard-workflow
Closed

chore(ci): add OpenSSF Scorecard workflow#177
maw629 wants to merge 1 commit into
fastify:mainfrom
maw629:chore/ci-add-scorecard-workflow

Conversation

@maw629

@maw629 maw629 commented May 28, 2026

Copy link
Copy Markdown

Adds .github/workflows/scorecard.yml running the ossf/scorecard-action on a weekly schedule, on pushes to main, and when branch protection rules change. Results are written to three places:

  1. OpenSSF's public dataset (via publish_results: true) — so the score becomes queryable at https://api.securityscorecards.dev/projects/github.com/fastify/fast-uri.
  2. This repo's GitHub Security tab — SARIF uploaded via github/codeql-action/upload-sarif.
  3. A run artifact (results.sarif, 5-day retention) — convenient for inspecting findings without leaving the Actions page.

This to fix

GitHub's dependency-review action shows the Scorecard column as Unknown for any consumer that depends on fast-uri.

Verification I ran locally

Ran the same checks the workflow will run, locally with the scorecard CLI:

scorecard --repo=github.com/fastify/fast-uri --show-details

Checklist

@Fdawgs Fdawgs left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is something that could be rolled into the shared workflows in https://github.com/fastify/workflows/ if it's something we wanted to pursue. Then we could have it across all Fastify repos.

@Fdawgs Fdawgs requested review from a team and Copilot June 2, 2026 06:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an OpenSSF Scorecard GitHub Actions workflow that runs weekly, on pushes to main, and on branch protection rule changes. Results are published to OpenSSF's public dataset, uploaded to the GitHub Security tab via SARIF, and stored as a run artifact. This resolves the "Unknown" Scorecard column shown by the dependency-review action for consumers of fast-uri.

Changes:

  • New workflow file .github/workflows/scorecard.yml invoking ossf/scorecard-action@v2.4.3.
  • Configures read-all default permissions with scoped security-events: write and id-token: write for the analysis job.
  • Uploads SARIF to GitHub Security tab and as a 5-day retention artifact.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Tony133

Tony133 commented Jun 10, 2026

Copy link
Copy Markdown
Member

This is something that could be rolled into the shared workflows in https://github.com/fastify/workflows/ if it's something we wanted to pursue. Then we could have it across all Fastify repos.

I agree 😉👍🏻

@Tony133

Tony133 commented Jul 12, 2026

Copy link
Copy Markdown
Member

see this PR here: fastify/workflows#222

@Tony133 Tony133 closed this Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants