From 93c39a87c372072c30561c1cafd26326761c2454 Mon Sep 17 00:00:00 2001 From: Sage Hart Date: Sat, 11 Jul 2026 23:50:30 -0500 Subject: [PATCH] fix(security): add OpenSSF Scorecard workflow --- .github/workflows/scorecard.yml | 36 +++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..4b5ab02 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,36 @@ +name: OpenSSF Scorecard + +on: + branch_protection_rule: + schedule: + - cron: "0 5 * * 1" + push: + branches: [main] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + security-events: write + + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: scorecard