mirror of
https://github.com/docker/compose.git
synced 2026-07-10 18:24:10 +00:00
- actions/checkout v4 -> v6 - actions/upload-artifact v4/v6 -> v7 - actions/download-artifact v4/v7 -> v8 - docker/setup-buildx-action v3 -> v4 - docker/bake-action v6 -> v7 - actions/stale v9 -> v10 - actions/create-github-app-token v1 -> v3 - actions/github-script v7 -> v8 - ossf/scorecard-action v2.4.0 -> v2.4.3 - ncipollo/release-action v1.10.0 -> v1.21.0 - mxschmitt/action-tmate v3.11 -> v3.23 - codecov/codecov-action, test-summary/action, github/codeql-action: bump to latest patch Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
63 lines
2 KiB
YAML
63 lines
2 KiB
YAML
name: Scorecards supply-chain security
|
|
on:
|
|
# Only the default branch is supported.
|
|
branch_protection_rule:
|
|
schedule:
|
|
- cron: '44 9 * * 4'
|
|
push:
|
|
branches: [ "main" ]
|
|
|
|
jobs:
|
|
analysis:
|
|
name: Scorecards analysis
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# Needed to upload the results to code-scanning dashboard.
|
|
security-events: write
|
|
# Used to receive a badge.
|
|
id-token: write
|
|
# read permissions to all the other objects
|
|
actions: read
|
|
attestations: read
|
|
checks: read
|
|
contents: read
|
|
deployments: read
|
|
issues: read
|
|
discussions: read
|
|
packages: read
|
|
pages: read
|
|
pull-requests: read
|
|
statuses: read
|
|
|
|
steps:
|
|
- name: "Checkout code"
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: "Run analysis"
|
|
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
|
|
with:
|
|
results_file: results.sarif
|
|
results_format: sarif
|
|
|
|
# Publish the results for public repositories to enable scorecard badges. For more details, see
|
|
# https://github.com/ossf/scorecard-action#publishing-results.
|
|
# For private repositories, `publish_results` will automatically be set to `false`, regardless
|
|
# of the value entered here.
|
|
publish_results: true
|
|
|
|
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
|
# format to the repository Actions tab.
|
|
- name: "Upload artifact"
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
|
|
with:
|
|
name: SARIF file
|
|
path: results.sarif
|
|
retention-days: 5
|
|
|
|
# Upload the results to GitHub's code scanning dashboard.
|
|
- name: "Upload to code-scanning"
|
|
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
|
|
with:
|
|
sarif_file: results.sarif
|