Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/ossf-scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: OSSF Scorecard Analysis

# **What it does**: Runs OSSF Scorecard analysis on the repository and uploads the results.
# **Why we have it**: Security scanning.

on:
branch_protection_rule:
push:
branches:
- main
paths-ignore:
- "**/*.md"
schedule:
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
# │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
# * * * * *
- cron: "21 17 * * 0"
# Allows this workflow to be run manually from the Actions tab
workflow_dispatch:

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: "${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
cancel-in-progress: true

permissions:
contents: read

jobs:
analysis:
name: OSSF Scorecard Analysis
permissions:
contents: read
id-token: write
security-events: write
uses: ./.github/workflows/reusable-ossf-scorecard.yml
with:
publish_results: true
49 changes: 49 additions & 0 deletions .github/workflows/reusable-ossf-scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Reusable OSSF Scorecard Analysis

# **What it does**: Runs OSSF Scorecard analysis on the repository and uploads the results.
# **Why we have it**: Security scanning.

on:
workflow_call:
inputs:
publish_results:
description: "Set to true to publish results. Only works when run from the default branch."
required: false
type: boolean
default: true

permissions: {}

jobs:
analysis:
name: Scorecard Analysis
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
security-events: write

steps:
- name: Check out repo
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- name: Perform OSSF Scorecard analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: ${{ inputs.publish_results && github.ref_name == github.event.repository.default_branch }}

- name: Upload artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: Upload to Code Scanning
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
sarif_file: results.sarif
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# Workflows

[![GitHub release](https://img.shields.io/github/v/release/fastify/workflows)](https://github.com/fastify/workflows/releases/latest)
[![OSSF Scorecard](https://api.scorecard.dev/projects/github.com/fastify/workflows/badge)](https://scorecard.dev/viewer/?uri=github.com/fastify/workflows)

Reusable workflows for use in the Fastify organization.

## Intro
Expand Down
Loading