From 728de40187dc3709690a11501682a39dea1e6fdb Mon Sep 17 00:00:00 2001 From: mhucka Date: Fri, 17 Apr 2026 16:58:58 +0000 Subject: [PATCH 1/2] Rename file to scorecard-scanner.yaml for clarity --- .github/workflows/{ossf-scorecard.yaml => scorecard-scanner.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{ossf-scorecard.yaml => scorecard-scanner.yaml} (100%) diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/scorecard-scanner.yaml similarity index 100% rename from .github/workflows/ossf-scorecard.yaml rename to .github/workflows/scorecard-scanner.yaml From 29cb402fa7336e9eb8d77d3f9044ddc488caf92a Mon Sep 17 00:00:00 2001 From: mhucka Date: Fri, 17 Apr 2026 18:45:33 +0000 Subject: [PATCH 2/2] Update Scorecard scannner workflow This updates the workflow to the latest version used in many of our other Quantumlib repos. Main changes: - Rename the file to something a little more clear - Don't run the workflow on fork PRs, to avoid an error condition - On the workflow summary page, print a link to the Scorecard results - Streamline and reduce comments --- .github/workflows/scorecard-scanner.yaml | 80 +++++++++++++++--------- 1 file changed, 51 insertions(+), 29 deletions(-) diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml index 2caefeb..58c7974 100644 --- a/.github/workflows/scorecard-scanner.yaml +++ b/.github/workflows/scorecard-scanner.yaml @@ -1,60 +1,82 @@ -# Summary: workflow for OSSF Scorecard (https://github.com/ossf/scorecard). +# Copyright 2026 Google LLC # -# Scorecard is an automated tool that assesses a number of important heuristics -# associated with software security and assigns each check a score of 0-10. The -# use of Scorecard is suggested in Google's internal GitHub guidance -# (go/github-docs). +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at # -# Scorecard creates a report page at the following URL (for a repo ORG/REPO): -# https://scorecard.dev/viewer/?uri=github.com/ORG/REPO -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Scorecard analysis +run-name: Run Scorecard scanner for security best practices -name: Scorecard code scan -run-name: Run Scorecard code scan +# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool +# that evaluates a project's security practices. Its use is suggested by +# Google's GitHub team. Scorecard's findings are reported in a repo's scanning +# results page, https://github.com/quantumlib/REPO/security/code-scanning/. on: schedule: - cron: '19 20 * * 6' - - # Allow manual invocation. workflow_dispatch: -# Declare default permissions as read only. permissions: read-all -# Cancel any previously-started but still active runs on the same branch. concurrency: cancel-in-progress: true group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} jobs: - scorecard: - name: Perform Scorecard analysis - runs-on: ubuntu-22.04 - timeout-minutes: 10 + run-scorecard: + # Skip fork PRs to avoid "Analysis configuration not found" errors. + if: >- + github.repository_owner == 'quantumlib' && + (github.event_name != 'pull_request' || + github.event.pull_request.head.repo.fork == false) + name: Scorecard analyzer + runs-on: ubuntu-24.04 permissions: - # Needed to upload the results to the code-scanning dashboard. security-events: write - # Needed to publish results and get a badge (see publish_results below). id-token: write + timeout-minutes: 15 steps: - name: Check out a copy of the git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run Scorecard analysis - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + # yamllint disable rule:line-length + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: - # Save the results - results_file: results.sarif + results_file: scorecard-results.sarif results_format: sarif - - # Publish results to OpenSSF REST API. - # See https://github.com/ossf/scorecard-action#publishing-results. publish_results: true - name: Upload results to code-scanning dashboard - uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3 + # yamllint disable rule:line-length + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: - sarif_file: results.sarif + sarif_file: scorecard-results.sarif + + # Scorecard doesn't allow submissions from jobs having steps that use "run:". + # Printing a summary needs to use "run:", so we have to use a separate job. + write-summary: + name: Scorecard results + needs: run-scorecard + runs-on: ubuntu-slim + timeout-minutes: 5 + steps: + - name: Write the Scorecard report page link to the workflow summary + run: | + repo="${{github.repository}}" + url="https://scorecard.dev/viewer/?uri=github.com/${repo}" + { + echo -n "The results are available on the OpenSSF Scorecard " + echo "[report page for ${{github.repository}}]($url)." + } >> "$GITHUB_STEP_SUMMARY"