chore(deps): bump step-security/harden-runner (#20) #44

Workflow file for this run

.github/workflows/scorecard.yml at ad37b0a

	name: Scorecard

	on:
	schedule:
	- cron: '0 6 * * 1' # Weekly on Monday 6am UTC
	push:
	branches: [main]
	paths-ignore:
	- 'docs/**'
	- '.github/*.md'
	workflow_dispatch:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
	cancel-in-progress: ${{ github.event_name == 'push' }}

	# Minimum permissions at workflow level; job-level permissions grant only what's needed
	permissions: {}

	jobs:
	# Job 1: Run Scorecard and publish to OpenSSF (requires uses-only steps)
	# Note: Scorecard only runs on the main repository, not forks (forks lack required permissions)
	analysis:
	if: ${{ !github.event.repository.fork }}
	runs-on: ubuntu-24.04
	timeout-minutes: 10
	permissions:
	contents: read # Required for checkout
	id-token: write # Publish results to OpenSSF
	actions: read # Required for Scorecard GraphQL queries in private repos
	issues: read # Required for GraphQL ListCommits on private repos
	pull-requests: read # Required for GraphQL ListCommits on private repos
	checks: read # Required for GraphQL queries on private repos

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
	with:
	egress-policy: block
	allowed-endpoints: >
	api.deps.dev:443
	api.github.com:443
	api.osv.dev:443
	api.scorecard.dev:443
	api.securityscorecards.dev:443
	fulcio.sigstore.dev:443
	github.com:443
	objects.githubusercontent.com:443
	oss-fuzz-build-logs.storage.googleapis.com:443
	rekor.sigstore.dev:443
	tuf-repo-cdn.sigstore.dev:443
	www.bestpractices.dev:443

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Run Scorecard
	uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: true

	- name: Upload SARIF artifact
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: scorecard-sarif
	path: results.sarif
	retention-days: 14

	# Job 2: Process SARIF and upload to GitHub Code Scanning (allows run steps)
	upload:
	if: ${{ !cancelled() && !github.event.repository.fork && needs.analysis.result == 'success' }}
	runs-on: ubuntu-24.04
	needs: analysis
	timeout-minutes: 5
	permissions:
	contents: read # Required for codeql-action to identify repository context
	security-events: write # Upload SARIF results
	actions: read # Required for codeql-action to get workflow run info

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
	with:
	egress-policy: block
	allowed-endpoints: >
	api.github.com:443
	github.com:443
	uploads.github.com:443

	- name: Download SARIF artifact
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: scorecard-sarif

	- name: Add SARIF summary
	run: \|
	set -euo pipefail

	# Validate SARIF structure before modifying
	if ! jq -e '.runs[0]' results.sarif > /dev/null 2>&1; then
	echo "::error::Invalid SARIF file - missing runs array"
	exit 1
	fi

	# Write workflow summary for GitHub Actions UI
	{
	echo "## Scorecard Analysis Complete"
	echo ""
	echo "Results uploaded to the Code Scanning tab."
	echo ""
	echo "Scorecard evaluates repository security posture across 18 checks including:"
	echo "- Branch protection"
	echo "- Dependency management"
	echo "- CI/CD security"
	echo "- Vulnerability disclosure"
	} >> "$GITHUB_STEP_SUMMARY"

	# Add a summary note to the first SARIF run's invocations, preserving any existing invocation data.
	jq '.runs[0].invocations = (.runs[0].invocations // []) + [{"executionSuccessful": true, "toolExecutionNotifications": [{"level": "note", "message": {"text": "Scorecard evaluated repository security posture across 18 checks including branch protection, dependency management, CI/CD security, and vulnerability disclosure."}, "descriptor": {"id": "scanned-files-summary"}}]}]' \
	results.sarif > results.tmp
	mv results.tmp results.sarif

	- name: Upload to Code Scanning
	uses: github/codeql-action/upload-sarif@cb4e075f119f8bccbc942d49655b2cd4dc6e615a # v4
	with:
	sarif_file: results.sarif
	category: scorecard

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump step-security/harden-runner (#20) #44

Workflow file

chore(deps): bump step-security/harden-runner (#20) #44

Uh oh!

Workflow file for this run