1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
---
name: OSSF Scorecard
permissions: read-all
on:
workflow_call:
workflow_dispatch:
jobs:
scorecard:
name: Scorecard
runs-on: [self-hosted, linux, docker]
steps:
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
- name: Checkout PR branch
uses: actions/checkout@v4
with:
path: source
- name: Pull Docker image
run: >
docker pull gcr.io/openssf/scorecard:stable
- name: Perform required checks
run: >
docker run --rm -v $(pwd):/tmp/work -w /tmp/work
gcr.io/openssf/scorecard:stable
--checks=Token-Permissions,Dangerous-Workflow,Binary-Artifacts
--show-details
--verbosity warn
--local /tmp/work/source
> scorecard.txt
- name: Generate full report
run: >
docker run --rm -v $(pwd):/tmp/work -w /tmp/work
gcr.io/openssf/scorecard:stable
--local /tmp/work/source
--format json
> scorecard.json
- name: Check
run: >
python3 source/.github/workflows/scorecard/check.py
scorecard.json
--config source/.github/workflows/scorecard/config.yml
- name: Report
if: success() || failure()
run: |
echo '```' >> $GITHUB_STEP_SUMMARY
cat scorecard.txt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
|
