From ab2f3b9986ca8f2ce40968701f9bb486b644cc62 Mon Sep 17 00:00:00 2001 From: Richard Fan Date: Tue, 6 Aug 2024 18:03:18 +0800 Subject: [PATCH] Add OSSF scorecard workflow --- .github/workflows/build-and-sign-eif.yaml | 2 +- .github/workflows/scorecard.yaml | 44 +++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/scorecard.yaml diff --git a/.github/workflows/build-and-sign-eif.yaml b/.github/workflows/build-and-sign-eif.yaml index 9c4f709..c58ca24 100644 --- a/.github/workflows/build-and-sign-eif.yaml +++ b/.github/workflows/build-and-sign-eif.yaml @@ -5,7 +5,7 @@ on: branches: - main paths: - - ".github/workflows/**" + - ".github/workflows/build-and-sign-eif.yaml" - "enclave/**" jobs: diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml new file mode 100644 index 0000000..010a9e3 --- /dev/null +++ b/.github/workflows/scorecard.yaml @@ -0,0 +1,44 @@ +name: Scorecard supply-chain security + +on: + push: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: false + + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif