Skip to content

ops: add OpenSSF Scorecard workflow#142

Merged
amavashev merged 1 commit into
mainfrom
ops/scorecard-action
May 2, 2026
Merged

ops: add OpenSSF Scorecard workflow#142
amavashev merged 1 commit into
mainfrom
ops/scorecard-action

Conversation

@amavashev
Copy link
Copy Markdown
Collaborator

@amavashev amavashev commented May 2, 2026

Summary

Adds OpenSSF Scorecard supply-chain security analysis to this repo. Free tool from the Open Source Security Foundation that scores ~17 practices on a 0–10 scale:

  • Branch protection (required reviews, signed commits, status checks)
  • Dependency review and pinned dependencies
  • Token permissions (least privilege)
  • SAST and CodeQL coverage
  • Vulnerability disclosure policy
  • Fuzzing, code review, dangerous workflow patterns
  • (full list: https://github.com/ossf/scorecard/blob/main/docs/checks.md)

How it runs

  • On push to main — immediate first score after merge
  • On `branch_protection_rule` changes — re-score when policy changes
  • Weekly (Mon 06:00 UTC) — drift detection

Where the results show up

  1. Security tab in this repo (SARIF upload via `github/codeql-action/upload-sarif`)
  2. Public scorecard page at https://scorecard.dev/viewer/?uri=github.com/runcycles/cycles-server (after first run)
  3. Auto-updating badge at `https://api.scorecard.dev/projects/github.com/runcycles/cycles-server/badge\` — will be added to the org profile README once the first scan completes

Why this repo first

`cycles-server` is the reference implementation. If the workflow runs cleanly here, we'll roll it out to `cycles-protocol`, `cycles-client-python`, `cycles-mcp-server` as a follow-up.

Notes

  • All action SHAs are pinned (Scorecard's own "Pinned-Dependencies" criterion — keeps this workflow from penalizing its own score)
  • `publish_results: true` requires the repo to be public (it is)
  • `id-token: write` is required to mint the OIDC token for publishing
  • Workflow must live on the default branch (`main`) for results to publish — this PR puts it there

Test plan

  • Merge → verify the workflow runs to green on the post-merge push
  • Check Security tab — SARIF results visible
  • Check https://scorecard.dev/viewer/?uri=github.com/runcycles/cycles-server (24h after merge for full data)
  • First score: anything ≥6/10 is reasonable for a young repo; ≥8 is strong. Below 5 means immediate hardening warranted (likely branch protection + signed commits).

Follow-up

Once first score is in, open a PR on `runcycles/.github` to add the badge to the org profile README's trust-signal row.

@amavashev
ops: add OpenSSF Scorecard workflow
5fee1ae 
Free supply-chain security analysis from openssf/scorecard. Scores ~17
practices (branch protection, signed commits, dependency review, pinned
deps, token permissions, vulnerability disclosure, SAST, fuzzing, etc.)
on a 0–10 scale and publishes the result to api.scorecard.dev so the
public badge auto-updates.

Runs:
- on push to main (immediate first score after merge)
- on branch_protection_rule changes (so policy changes show up)
- weekly on Monday 06:00 UTC (drift detection)

Action SHAs are pinned per Scorecard's own pinned-dependencies criterion,
so this workflow doesn't penalize its own score.

Results land in the Security tab (SARIF upload) and on the public
scorecard.dev project page. Once merged, we can add the badge to the
runcycles org profile README as a third-party trust signal.
@amavashev amavashev merged commit bae29fc into main May 2, 2026
6 checks passed
This was referenced May 2, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amavashev