Home Explore Help
Sign In
SMusatov
/
Cura
mirror of https://github.com/Ultimaker/Cura.git
1
0
Fork 0
Files Wiki
Tree: b5cd19d6fc
Branches Tags
Cura
/
.github
/
workflows
/
security_badge.yml

security_badge.yml 2.4 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 
  1. # NOTE: Best to keep all of these remarks in, they might prove useful in the future.
    2. 

  2. #       This is basically just the standard one that is suggested on 'new workflow'.
    3. 

  3. 

  4. name: Scorecard supply-chain security
    5. 

  5. on:
    6. 

  6.   # For Branch-Protection check. Only the default branch is supported. See
    7. 

  7.   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
    8. 

  8.   branch_protection_rule:
    9. 

  9.   # To guarantee Maintained check is occasionally updated. See
    10. 

  10.   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
    11. 

  11.   schedule:
    12. 

  12.     - cron: '25 2 * * 5'
    13. 

  13.   push:
    14. 

  14.     branches: [ "main" ]
    15. 

  15. 

  16. # Declare default permissions as read only.
    17. 

  17. permissions: read-all
    18. 

  18. 

  19. jobs:
    20. 

  20.   analysis:
    21. 

  21.     name: Scorecard analysis
    22. 

  22.     runs-on: ubuntu-latest
    23. 

  23.     permissions:
    24. 

  24.       # Needed for Code scanning upload
    25. 

  25.       security-events: write
    26. 

  26.       # Needed for GitHub OIDC token if publish_results is true
    27. 

  27.       id-token: write
    28. 

  28. 

  29.     steps:
    30. 

  30.       - name: "Checkout code"
    31. 

  31.         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    32. 

  32.         with:
    33. 

  33.           persist-credentials: false
    34. 

  34. 

  35.       - name: "Run analysis"
    36. 

  36.         uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
    37. 

  37.         with:
    38. 

  38.           results_file: results.sarif
    39. 

  39.           results_format: sarif
    40. 

  40.           # Scorecard team runs a weekly scan of public GitHub repos,
    41. 

  41.           # see https://github.com/ossf/scorecard#public-data.
    42. 

  42.           # Setting `publish_results: true` helps us scale by leveraging your workflow to
    43. 

  43.           # extract the results instead of relying on our own infrastructure to run scans.
    44. 

  44.           # And it's free for you!
    45. 

  45.           publish_results: true
    46. 

  46. 

  47.       # Upload the results as artifacts (optional). Commenting out will disable
    48. 

  48.       # uploads of run results in SARIF format to the repository Actions tab.
    49. 

  49.       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
    50. 

  50.       - name: "Upload artifact"
    51. 

  51.         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
    52. 

  52.         with:
    53. 

  53.           name: SARIF file
    54. 

  54.           path: results.sarif
    55. 

  55.           retention-days: 5
    56. 

  56. 

  57.       # Upload the results to GitHub's code scanning dashboard (optional).
    58. 

  58.       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
    59. 

  59.       - name: "Upload to code-scanning"
    60. 

  60.         uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
    61. 

  61.         with:
    62. 

  62.           sarif_file: results.sarif
    63.