Added the scorecard github action and its badge #1071
Conversation
Signed-off-by: harshitasao <[email protected]>
| branches: [ "main" ] | ||
|
|
||
| # Declare default permissions as read only. | ||
| permissions: read-all |
There was a problem hiding this comment.
Looks pretty broad, assuming this is from the official and vetted scorecard workflow used in other projects and signed off?
There was a problem hiding this comment.
@harshitasao thx for your comments. Can you please also let me know your thoughts on this one?
There was a problem hiding this comment.
Sorry @embano1 for the delayed response. Please read https://github.com/ossf/scorecard-action?tab=readme-ov-file#global-workflow-restrictions
|
|
||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
There was a problem hiding this comment.
Regarding those # <version> comments, will dependabot also update them, otherwise they'll get stale so perhaps exclude them?
There was a problem hiding this comment.
Dependabot updates the # <version> comments.
|
|
||
| # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
| # format to the repository Actions tab. | ||
| - name: "Upload artifact" |
There was a problem hiding this comment.
Question: will uploading succeed with the default read-only permissions used in this workflow?
There was a problem hiding this comment.
I believe so, as it is successfully uploading for other projects that are using this workflow.
PR to add the Scorecard GitHub Action and its badge in the README file.
Fixes #1067