bartoszek/zephyr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
94de015498
zephyr/.github/workflows/scorecards.yml
Benjamin Cabé 6f4bb7ef62 ci: github: bump the actions-deps group across 1 directory with 8 updates 
Bumps the actions-deps group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4.1.7` | `4.2.2` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5.4.0` | `5.5.0` |
| [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) | `8` | `9` |
| [tj-actions/changed-files](https://github.com/tj-actions/changed-files) | `46.0.1` | `46.0.3` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.3.5` | `4.6.2` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.1.9` | `4.2.1` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.28.11` | `3.28.13` |
| [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) | `3.0.22` | `3.0.23` |

Updates `actions/checkout` from 4.1.7 to 4.2.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.1.7...11bd71901bbe5b1630ceea73d27597364c9af683)

Updates `actions/setup-python` from 5.4.0 to 5.5.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](42375524e2...8d9ed9ac5c)

Updates `dawidd6/action-download-artifact` from 8 to 9
- [Release notes](https://github.com/dawidd6/action-download-artifact/releases)
- [Commits](20319c5641...07ab29fd4a)

Updates `tj-actions/changed-files` from 46.0.1 to 46.0.3
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](2f7c5bfce2...823fcebdb3)

Updates `actions/upload-artifact` from 4.3.5 to 4.6.2
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4.3.5...ea165f8d65b6e75b540449e92b4886f43607fa02)

Updates `actions/download-artifact` from 4.1.9 to 4.2.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](cc20338598...95815c38cf)

Updates `github/codeql-action` from 3.28.11 to 3.28.13
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3.28.11...1b549b9259bda1cb5ddde3b41741a82a2d15a841)

Updates `zgosalvez/github-actions-ensure-sha-pinned-actions` from 3.0.22
to 3.0.23
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](25ed13d062...4830be28ce)

---

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
2025-03-31 20:16:41 -04:00

62 lines
2.3 KiB
YAML
Raw Blame History

# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecards supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '43 7 * * 6'
push:
branches:
- main
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed for Code scanning upload
security-events: write
# Needed for GitHub OIDC token if publish_results is true
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
# Publish results to OpenSSF REST API for easy access by consumers.
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable
# uploads of run results in SARIF format to the repository Actions tab.
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
- name: "Upload artifact"
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
with:
sarif_file: results.sarif
Reference in New Issue View Git Blame Copy Permalink