cecf
/
opentelemetry-java-instrumentation


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869
							name: Scorecard supply-chain security

on:

  # For Branch-Protection check. Only the default branch is supported. See

  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection

  branch_protection_rule:

  # To guarantee Maintained check is occasionally updated. See

  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained

  schedule:

    - cron: '43 6 * * 5'

  push:

    branches: [ "main" ]


# Declare default permissions as read only.

permissions: read-all


jobs:

  analysis:

    name: Scorecard analysis

    runs-on: ubuntu-latest

    permissions:

      # Needed to upload the results to code-scanning dashboard.

      security-events: write

      # Needed to publish results and get a badge (see publish_results below).

      id-token: write

      # Uncomment the permissions below if installing in a private repository.

      # contents: read

      # actions: read


    steps:

      - name: "Checkout code"

        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

        with:

          persist-credentials: false


      - name: "Run analysis"

        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1

        with:

          results_file: results.sarif

          results_format: sarif

          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:

          # - you want to enable the Branch-Protection check on a *public* repository, or

          # - you are installing Scorecard on a *private* repository

          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.

          # repo_token: ${{ secrets.SCORECARD_TOKEN }}


          # Public repositories:

          #   - Publish results to OpenSSF REST API for easy access by consumers

          #   - Allows the repository to include the Scorecard badge.

          #   - See https://github.com/ossf/scorecard-action#publishing-results.

          # For private repositories:

          #   - `publish_results` will always be set to `false`, regardless

          #     of the value entered here.

          publish_results: true


      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF

      # format to the repository Actions tab.

      - name: "Upload artifact"

        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3

        with:

          name: SARIF file

          path: results.sarif

          retention-days: 5


      # Upload the results to GitHub's code scanning dashboard.

      - name: "Upload to code-scanning"

        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3

        with:

          sarif_file: results.sarif