refactor(scorecard): route meta self-scan through filtered scorecard, drop scorecard-publish#271
Merged
Merged
Conversation
… drop scorecard-publish meta's self-supply-chain.yml now calls the private, filtered scorecard.yml (publish_results: false) instead of the public scorecard-publish.yml, so meta's own code scanning goes through the same SARIF posture-noise filter as every other repo. Its required job-level contents:write and internal @main reusable pins are dropped automatically instead of needing per-alert dismissals. meta displays no OpenSSF badge and was the only repo using scorecard-publish.yml, so the public-API publish path is removed entirely. Cleaned up all references. Refs nics-dp/TMDs#231 Closes #270
Contributor
There was a problem hiding this comment.
Pull request overview
此 PR 將 meta repo 自我掃描(self-supply-chain)從原本的公開 publish 變體改為走同一條「私有且帶 SARIF posture-noise filter」的 scorecard.yml reusable 路徑,並移除已無用途的 scorecard-publish.yml,同時清理文件引用,使 meta 的 code-scanning 輸出與其他 repos 一致、降低噪音告警。
Changes:
self-supply-chain.yml改用scorecard.yml@main並關閉 publish、移除不再需要的id-token: write,改以 App key secret 供私有評分用。- 刪除
scorecard-publish.yml(不再提供/使用公開 API publish 路徑)。 - 更新
scorecard.yml與文件(README/CLAUDE)中的說明與引用(移除 publish 變體相關敘述)。
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/self-supply-chain.yml |
將 meta self-scan 改路由至帶 filter 的 scorecard.yml,並調整 permissions/secrets。 |
.github/workflows/scorecard.yml |
更新註解/說明以反映「不 publish」的唯一 reusable 路徑(仍保留相容性 input)。 |
.github/workflows/scorecard-publish.yml |
移除不再使用的公開 publish 版本 workflow。 |
README.md |
文件移除 scorecard-publish.yml 列表項並更新 meta 自用 workflow 說明。 |
CLAUDE.md |
文件移除 scorecard-publish.yml 說明並更新 meta 自用 workflow 說明。 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…red upload Address Copilot on #271: scorecard.yml is now the only variant and uploads results.filtered.sarif; update the header comment, the publish input description, README and CLAUDE.md accordingly.
Address Copilot round 2 on #271: remove leftover PRIVATE/private/私有 wording in self-supply-chain.yml, CLAUDE.md and README.md that implied another publish variant still exists. scorecard.yml is the sole, non-publishing variant.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
meta's
self-supply-chain.ymlnow calls the private, filteredscorecard.yml(
publish_results: false) instead of the publicscorecard-publish.yml, andscorecard-publish.ymlis removed.Why
meta was the only repo using the public publish variant, which is OpenSSF
allowlist-locked and therefore cannot carry the SARIF posture-noise filter that
scorecard.ymlgained in #266/#267. That left meta's required job-levelcontents: write(self-release) and internal@mainreusable pins as permanentnoise that could only be dismissed (a weekly re-open treadmill).
Routing meta through the filtered private variant makes its code scanning
consistent with every other repo -- that noise is now dropped automatically. meta
displays no OpenSSF badge, so removing the public-API publish path costs nothing.
Changes
self-supply-chain.yml:uses:scorecard.yml@main,publish: false, pass thescorecard App key secret, drop the unused
id-token: write.scorecard-publish.yml.scorecard.ymlheader/comments,CLAUDE.md,README.md.After merge
promote dev -> main, then meta's next Scorecard run uploads a filtered SARIF and
the meta job-level TokenPermissions + internal Pinned alerts close on their own
(the earlier manual dismissals become redundant).
Refs nics-dp/TMDs#231
Closes #270