Skip to content

ci(scorecard): add OpenSSF Scorecard workflow#997

Merged
dekobon merged 1 commit into
mainfrom
ci/openssf-scorecard
Jun 30, 2026
Merged

ci(scorecard): add OpenSSF Scorecard workflow#997
dekobon merged 1 commit into
mainfrom
ci/openssf-scorecard

Conversation

@dekobon

@dekobon dekobon commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Summary

Installs OpenSSF Scorecard as a
GitHub Actions workflow and adds its badge to the README.

.github/workflows/scorecard.yml runs the Scorecard analyzer, uploads
the SARIF to the code-scanning dashboard, and publishes the score to
the public OpenSSF API so the badge and the
scorecard.dev viewer
work.

Conventions followed

Mirrors the existing codeql.yml:

  • SHA-pinned actions with version comments, auto-tracked by the
    existing github-actions Dependabot entry (directory: /, *):
    • ossf/scorecard-action@… v2.4.3
    • actions/checkout@… v7.0.0 (repo pin), persist-credentials: false
    • actions/upload-artifact@… v7.0.1
    • github/codeql-action/upload-sarif@… v4.36.2 (repo pin)
  • permissions: read-all default; the job adds only
    security-events: write and id-token: write.
  • Matching concurrency block.

Triggers

  • push to main
  • weekly schedule (Tue 07:41, offset from CodeQL's Mon 06:23)
  • branch_protection_rule (re-scores when protection settings change)

Notes

  • publish_results: true sends the score to the public OpenSSF API on
    default-branch runs — this powers the badge. Flip to false to keep
    results private (code-scanning only) and drop the README badge.
  • The badge shows grey until the first published run on main completes
    after merge.
  • make actionlint passes clean.

Add a weekly OpenSSF Scorecard analysis that uploads SARIF results to
the code-scanning dashboard and publishes the score to the public
OpenSSF API for the badge. Mirrors codeql.yml conventions: SHA-pinned
actions (Dependabot-tracked), read-all default permissions with a
least-privilege job, and a matching concurrency block. Triggers on
push to main, a weekly schedule offset from CodeQL, and
branch_protection_rule. Adds the Scorecard badge to README.
@dekobon dekobon merged commit 3237cb4 into main Jun 30, 2026
34 checks passed
@dekobon dekobon deleted the ci/openssf-scorecard branch June 30, 2026 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant