Update scorecards-analysis.yml

praw-dev · Jan 8, 2023 · 8162909 · 8162909
1 parent a0a0f6c
commit 8162909
Showing 1 changed file with 31 additions and 4 deletions.
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -1,9 +1,36 @@
 jobs:
-  scorecards-analysis:
-    name: Scorecards supply-chain security
-    secrets: inherit
-    uses: praw-dev/.github/.github/workflows/scorecards-analysis.yml@main
+  analysis:
+    name: Scorecards analysis
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        with:
+          persist-credentials: false
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          publish_results: true
+      - name: Upload artifact
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        with:
+          sarif_file: results.sarif
 name: Scorecards supply-chain security
+permissions: read-all
 on:
   branch_protection_rule:
   push: