diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7363cec43..80868cac8 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,72 +1,26 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: + + # Manual trigger + workflow_dispatch: + # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '27 22 * * 4' + - cron: "0 5 * * 1" push: - branches: [ "main" ] + branches: ["main"] # Declare default permissions as read only. permissions: read-all jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest + ossf: + uses: TBD54566975/open-source-programs/.github/workflows/scorecard.yml@main + secrets: inherit permissions: - # Needed to upload the results to code-scanning dashboard. security-events: write - # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read - - steps: - - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 - with: - results_file: results.sarif - results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 #v4.3.1 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 - with: - sarif_file: results.sarif diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 345767f74..fcb25fcc8 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,4 +1,4 @@ -name: Security Scanning +name: Security and License Scans on: pull_request_target: @@ -17,22 +17,6 @@ on: workflow_dispatch: jobs: - fossa: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - with: - ref: ${{ github.head_ref }} - - - name: Run FOSSA Scan - uses: fossas/fossa-action@main - with: - api-key: ${{ secrets.FOSSA_API_KEY }} - - - name: Run FOSSA Test - uses: fossas/fossa-action@main - with: - api-key: ${{ secrets.FOSSA_API_KEY }} - run-tests: true + security-license-scan: + uses: TBD54566975/open-source-programs/.github/workflows/security.yml@main + secrets: inherit