taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 06:50:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0c95fa97861652a2ad5e50ea41387cf93128a85d
nora/.github/workflows/scorecard.yml
DevITWay | Pavel Volkov 0c95fa9786 fix: revert codeql-action to tag in scorecard.yml (#105) 
Scorecard webapp verifies upload-sarif action by tag, not SHA.
Pinning to SHA causes imposter commit error on webapp submission.
2026-04-06 02:38:06 +03:00

39 lines
999 B
YAML
Raw Blame History

name: OpenSSF Scorecard
on:
push:
branches: [main]
schedule:
- cron: '0 6 * * 1'
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
contents: read
actions: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Run OpenSSF Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true
repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
- name: Upload Scorecard results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4 # tag required by scorecard webapp verification
with:
sarif_file: results.sarif
category: scorecard
Reference in New Issue View Git Blame Copy Permalink