Skip to content

chore: add OpenSSF Scorecard workflow #2334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
clubanderson merged 1 commit into from
Jan 10, 2026
Merged

chore: add OpenSSF Scorecard workflow #2334

clubanderson merged 1 commit into from
Jan 10, 2026

Conversation

@clubanderson
Copy link
Contributor

@clubanderson clubanderson commented Jan 10, 2026

Summary

Add OpenSSF Scorecard workflow for security scoring and visibility.

Details

  • Runs weekly and on pushes to main branch
  • Results published to GitHub Security tab
  • Enables security badge for README

🤖 Generated with Claude Code

@clubanderson @claude
chore: add OpenSSF Scorecard workflow
a4bed38 
Add OpenSSF Scorecard for security scoring and visibility.
Results are published to GitHub Security tab.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings January 10, 2026 05:21
@kubestellar-prow kubestellar-prow bot added the dco-signoff: no Indicates the PR's author has not signed the DCO. label Jan 10, 2026
@kubestellar-prow
Copy link

kubestellar-prow bot commented Jan 10, 2026

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

  • a4bed38 chore: add OpenSSF Scorecard workflow
Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kubestellar-prow
Copy link

kubestellar-prow bot commented Jan 10, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from clubanderson. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions github-actions bot added the ci label Jan 10, 2026
@kubestellar-prow kubestellar-prow bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jan 10, 2026
Copilot AI reviewed Jan 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an OpenSSF Scorecard workflow to automate security scoring for the repository. The workflow runs weekly, on pushes to the main branch, and can be triggered manually.

Changes:

  • Added OpenSSF Scorecard GitHub Actions workflow
  • Configured security permissions for SARIF uploads and badge generation
  • Set up automated scanning schedule and artifact retention

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/scorecard.yml
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@v2.4.0
Copy link

Copilot AI Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pin the action to a full commit SHA instead of a version tag to ensure immutability and prevent potential supply chain attacks. Version tags can be moved or deleted, but commit SHAs are permanent.

Suggested change
uses: ossf/scorecard-action@v2.4.0
uses: ossf/scorecard-action@62b2cac7ed819b70a90c1c9f236b4f1e77f4a24b

Copilot uses AI. Check for mistakes.
@clubanderson clubanderson merged commit 3993ce2 into dev Jan 10, 2026
9 of 10 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in KubeStellar UI Project Jan 10, 2026
@kubestellar-prow kubestellar-prow bot deleted the add-scorecard branch January 10, 2026 05:21
@github-actions
Copy link
Contributor

github-actions bot commented Jan 10, 2026

🎉 Thank you for your contribution! Your PR has been successfully merged.

We’d love to hear your thoughts to help improve KubeStellar.
Please take a moment to fill out our short feedback survey:

https://kubestellar.io/survey

@kubestellar-prow kubestellar-prow bot mentioned this pull request Jan 10, 2026
Closed
2 tasks
@github-actions github-actions bot mentioned this pull request Jan 10, 2026
Closed
mrhapile pushed a commit to mrhapile/kubestellar-ui that referenced this pull request Jan 10, 2026
@clubanderson @claude @mrhapile
chore: add OpenSSF Scorecard workflow (kubestellar#2334)
76043e8 
Add OpenSSF Scorecard for security scoring and visibility.
Results are published to GitHub Security tab.

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: mrhapile <allinonegaming3456@gmail.com>
@kubestellar-prow kubestellar-prow bot mentioned this pull request Jan 12, 2026
Closed
@kubestellar-prow
Copy link

kubestellar-prow bot commented Jan 12, 2026

@clubanderson: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubestellar-ui-backend-verify a4bed38 link true /test pull-kubestellar-ui-backend-verify
pull-kubestellar-ui-verify a4bed38 link true /test pull-kubestellar-ui-verify
pull-kubestellar-ui-backend-test a4bed38 link true /test pull-kubestellar-ui-backend-test
pull-kubestellar-ui-build a4bed38 link true /test pull-kubestellar-ui-build
pull-kubestellar-ui-test a4bed38 link true /test pull-kubestellar-ui-test

Full PR test history

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@clubanderson
Copy link
Contributor Author

clubanderson commented Jan 12, 2026

/retest

1 similar comment
@clubanderson
Copy link
Contributor Author

clubanderson commented Jan 12, 2026

/retest

@clubanderson
Copy link
Contributor Author

clubanderson commented Jan 12, 2026

/test all

@kubestellar-prow kubestellar-prow bot mentioned this pull request Jan 14, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

ci dco-signoff: no Indicates the PR's author has not signed the DCO. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

KubeStellar UI Project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@clubanderson