github/html5-boilerplate
1
1
Fork 0
mirror of https://github.com/h5bp/html5-boilerplate.git synced 2026-01-09 22:58:12 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add OSSF Scorecard security workflow (#3287)

Browse Source 
This also pins move GitHub Actions so our initial score will be higher.
This commit is contained in:
Christian Oliff
2025-09-11 01:31:34 +09:00
committed by GitHub
parent 1fd0124ecd
commit f814431eea
5 changed files with 49 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/dependency-review.yml vendored
View File

@@ -14,4 +14,4 @@ jobs:
persist-credentials: false persist-credentials: false
- name: "Dependency Review" - name: "Dependency Review"
uses: actions/dependency-review-action@v4 uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3

43
.github/workflows/ossf-scorecard.yml vendored Normal file
View File

@@ -0,0 +1,43 @@
name: Scorecard supply-chain security
on:
branch_protection_rule:
schedule:
- cron: '27 12 * * 2'
push:
branches: [ "main" ]
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
security-events: write
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: "Upload artifact"
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
with:
sarif_file: results.sarif

4
.github/workflows/publish.yml vendored
View File

@@ -27,7 +27,7 @@ jobs:
run: zip -r ../html5-boilerplate_${{ steps.get_version.outputs.VERSION }}.zip ./ run: zip -r ../html5-boilerplate_${{ steps.get_version.outputs.VERSION }}.zip ./
- name: Create Release - name: Create Release
id: create_release id: create_release
uses: actions/create-release@v1 uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with:
@@ -37,7 +37,7 @@ jobs:
prerelease: false prerelease: false
- name: Upload Release Asset - name: Upload Release Asset
id: upload-release-asset id: upload-release-asset
uses: actions/upload-release-asset@v1 uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with:

2
.github/workflows/push-to-template.yml vendored
View File

@@ -22,6 +22,8 @@ jobs:
restore-keys: | restore-keys: |
${{ runner.os }}-node- ${{ runner.os }}-node-
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with: with:

2
.github/workflows/test.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
id: npm-cache id: npm-cache
run: | run: |
echo "dir=$(npm config get cache)" >> "$GITHUB_OUTPUT" echo "dir=$(npm config get cache)" >> "$GITHUB_OUTPUT"
- uses: actions/cache@v3 - uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3.4.3
with: with:
path: ${{ steps.npm-cache.outputs.dir }} path: ${{ steps.npm-cache.outputs.dir }}
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}