feat: adds scorecard workflow to publish openssf scores#6090
feat: adds scorecard workflow to publish openssf scores#6090evankanderson merged 1 commit intomindersec:mainfrom
Conversation
gaganhr94
force-pushed
the
feat/adds-scorecard-workflow
branch
3 times, most recently
from
d0573b6 to
acd7408
Compare
|
@evankanderson Can you please review this PR when you get a chance. Thanks ! |
evankanderson
left a comment
evankanderson
left a comment
There was a problem hiding this comment.
This looks to mostly match the setup in github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml minus the comments, so LGTM.
.github/workflows/scorecard.yml
Outdated
| - cron: '0 0 * * 1' | ||
|
|
||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml uses read-all instead of contents: read. Will contents: read prevent any of scorecard's operation?
There was a problem hiding this comment.
Thanks for pointing this out! I looked into it a bit more, and it seems that using contents: read can cause some checks to be skipped or return incomplete results, since scorecard is a complete analysis of the project. I'll keep it aligned with the scorecard workflow by changing it to permissions: read-all
Signed-off-by: Gagan H R <hrgagan4@gmail.com>
gaganhr94
force-pushed
the
feat/adds-scorecard-workflow
branch
from
acd7408 to
3e9a240
Compare
3 participants
Summary
The repository currently does not publish OpenSSF Scorecard results, which means users and downstream consumers cannot easily discover the project’s security best-practice signals via Scorecard API.
Publishing Scorecard results:
Fixes #6089