OpenSSF Scorecard #13

	name: OpenSSF Scorecard

	on:
	branch_protection_rule:
	schedule:
	- cron: "0 6 * * 1" # Monday 06:00 UTC
	push:
	branches: [main]

	# Deny all permissions by default — grant per-job
	permissions: {}

	jobs:
	scorecard:
	name: Scorecard
	runs-on: ubuntu-latest
	permissions:
	security-events: write # Upload SARIF to Security tab
	id-token: write # Sigstore attestation
	contents: read
	actions: read
	steps:
	- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	with:
	persist-credentials: false

	- uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: true

	- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
	with:
	name: scorecard-results
	path: results.sarif
	retention-days: 5

	- uses: github/codeql-action/upload-sarif@603b797f8b14b413fe025cd935a91c16c4782713 # v3
	with:
	sarif_file: results.sarif

Provide feedback