From bee178348b84a974b92fc158225ff716aa7ebd90 Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Thu, 26 Feb 2026 21:24:47 +0000 Subject: [PATCH 1/3] Add OpenSSF Scorecard Analysis workflow --- .../workflows/openssf-scorecard-analysis.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/openssf-scorecard-analysis.yml diff --git a/.github/workflows/openssf-scorecard-analysis.yml b/.github/workflows/openssf-scorecard-analysis.yml new file mode 100644 index 0000000..addcc39 --- /dev/null +++ b/.github/workflows/openssf-scorecard-analysis.yml @@ -0,0 +1,39 @@ +name: OpenSSF Scorecard Analysis + +on: + workflow_dispatch: + pull_request: + schedule: + - cron: '30 4 * * 6' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: "Pull OpenSSF Scorecard image" + run: docker pull ghcr.io/ossf/scorecard/v5:latest + + - name: "Run OpenSSF Scorecard analysis" + env: + GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + docker run \ + -e GITHUB_AUTH_TOKEN \ + ghcr.io/ossf/scorecard/v5:latest \ + --repo=${{ github.server_url }}/${{ github.repository }} \ + --show-details \ + --format=json > scorecard-results.json + + - name: "Upload artifact" + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: openssf-scorecard-results + path: scorecard-results.json + retention-days: 90 \ No newline at end of file From 091334e0025a216ef148b5ebaa387529e1c4140f Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Thu, 26 Feb 2026 21:42:06 +0000 Subject: [PATCH 2/3] Update OpenSSF Scorecard analysis to use dedicated authentication token --- .github/workflows/openssf-scorecard-analysis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/openssf-scorecard-analysis.yml b/.github/workflows/openssf-scorecard-analysis.yml index addcc39..5d0929b 100644 --- a/.github/workflows/openssf-scorecard-analysis.yml +++ b/.github/workflows/openssf-scorecard-analysis.yml @@ -22,7 +22,9 @@ jobs: - name: "Run OpenSSF Scorecard analysis" env: - GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # A dedicated token is required as explained in + # https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md + GITHUB_AUTH_TOKEN: ${{ secrets.SCORECARD_TOKEN }} run: | docker run \ -e GITHUB_AUTH_TOKEN \ From cdb936fd8a74a6eb53c58f70e82fb8f2b9ba7739 Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Wed, 3 Jun 2026 16:50:48 +0100 Subject: [PATCH 3/3] Refactor OpenSSF Scorecard workflow: remove schedule section and adjust formatting --- .github/workflows/openssf-scorecard-analysis.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/openssf-scorecard-analysis.yml b/.github/workflows/openssf-scorecard-analysis.yml index 5d0929b..4e616b6 100644 --- a/.github/workflows/openssf-scorecard-analysis.yml +++ b/.github/workflows/openssf-scorecard-analysis.yml @@ -3,10 +3,8 @@ name: OpenSSF Scorecard Analysis on: workflow_dispatch: pull_request: - schedule: - - cron: '30 4 * * 6' push: - branches: [ "main" ] + branches: ["main"] permissions: read-all @@ -22,7 +20,7 @@ jobs: - name: "Run OpenSSF Scorecard analysis" env: - # A dedicated token is required as explained in + # A dedicated token is required as explained in # https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md GITHUB_AUTH_TOKEN: ${{ secrets.SCORECARD_TOKEN }} run: | @@ -38,4 +36,4 @@ jobs: with: name: openssf-scorecard-results path: scorecard-results.json - retention-days: 90 \ No newline at end of file + retention-days: 90