chore(ci): add OpenSSF Scorecard workflow#177
Conversation
Fdawgs
left a comment
There was a problem hiding this comment.
This is something that could be rolled into the shared workflows in https://github.com/fastify/workflows/ if it's something we wanted to pursue. Then we could have it across all Fastify repos.
There was a problem hiding this comment.
Pull request overview
Adds an OpenSSF Scorecard GitHub Actions workflow that runs weekly, on pushes to main, and on branch protection rule changes. Results are published to OpenSSF's public dataset, uploaded to the GitHub Security tab via SARIF, and stored as a run artifact. This resolves the "Unknown" Scorecard column shown by the dependency-review action for consumers of fast-uri.
Changes:
- New workflow file
.github/workflows/scorecard.ymlinvokingossf/scorecard-action@v2.4.3. - Configures read-all default permissions with scoped
security-events: writeandid-token: writefor the analysis job. - Uploads SARIF to GitHub Security tab and as a 5-day retention artifact.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
I agree 😉👍🏻 |
|
see this PR here: fastify/workflows#222 |
Adds
.github/workflows/scorecard.ymlrunning theossf/scorecard-actionon a weekly schedule, on pushes tomain, and when branch protection rules change. Results are written to three places:publish_results: true) — so the score becomes queryable athttps://api.securityscorecards.dev/projects/github.com/fastify/fast-uri.github/codeql-action/upload-sarif.results.sarif, 5-day retention) — convenient for inspecting findings without leaving the Actions page.This to fix
GitHub's dependency-review action shows the Scorecard column as Unknown for any consumer that depends on fast-uri.
Verification I ran locally
Ran the same checks the workflow will run, locally with the
scorecardCLI:Checklist
npm run test && npm run benchmark --if-presentand the Code of conduct