プレイグラウンド、サンドボックス、使い捨てスクリプト置き場
0

Configure Feed

Select the types of activity you want to include in your feed.

Add OSSF Scorecard Action for automated security analysis (#231)

* Add OSSF Scorecard workflow

Co-authored-by: kou029w <1730234+kou029w@users.noreply.github.com>

authored by

Copilot
kou029w
and committed by
GitHub
(Oct 28, 2025, 12:01 PM +0900) b6f0a5d6 ce39b932

+50
+50
.github/workflows/scorecard.yml
··· 1 + name: OSSF Scorecard 2 + on: 3 + push: 4 + branches: 5 + - main 6 + schedule: 7 + # Weekly on Saturdays at 1:30 AM UTC 8 + - cron: '30 1 * * 6' 9 + 10 + permissions: read-all 11 + 12 + jobs: 13 + analysis: 14 + name: Scorecard analysis 15 + runs-on: ubuntu-latest 16 + permissions: 17 + # Needed for Code scanning upload 18 + security-events: write 19 + # Needed for GitHub OIDC token if publish_results is true 20 + id-token: write 21 + 22 + steps: 23 + - name: Checkout code 24 + uses: actions/checkout@v4 25 + with: 26 + persist-credentials: false 27 + 28 + - name: Run analysis 29 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 30 + with: 31 + results_file: results.sarif 32 + results_format: sarif 33 + # Scorecard team runs a weekly scan of public GitHub repos. 34 + # Setting publish_results: true helps scale by leveraging your workflow to 35 + # extract the results instead of relying on OSSF infrastructure. 36 + publish_results: true 37 + 38 + # Upload the results as artifacts (optional). 39 + - name: Upload artifact 40 + uses: actions/upload-artifact@v4 41 + with: 42 + name: SARIF file 43 + path: results.sarif 44 + retention-days: 5 45 + 46 + # Upload the results to GitHub's code scanning dashboard. 47 + - name: Upload to code-scanning 48 + uses: github/codeql-action/upload-sarif@v3 49 + with: 50 + sarif_file: results.sarif