Update scorecard.yml with token (#1603)

### What kind of change does this PR introduce? * Adds a token that allows OpenSSF Scorecard workflow to see the branch protection rules of `xclim`. ### Does this PR introduce a breaking change? No. ### Other information: The token (`OPENSSF_SCORECARD_TOKEN`) has been given the following permissions for repositories `xclim`, `xscen`, `miranda`, `figanos`, and `raven-hydro`: - Administration: Read-Only - Metadata: Read-Only - Webhooks: Read-Only This is set to expire on **January 1st, 2025**. After this point it will need to be renewed or another person with maintainer access can generate a new one. See: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Ouranosinc · Jan 17, 2024 · 9ac718b · 9ac718b
2 parents 507bd0b + 3f4c927
commit 9ac718b
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -31,6 +31,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
@@ -45,7 +50,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.OPENSSF_SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -67,6 +72,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1245696032ecf7d39f87d54daa406e22ddf769a8
+        uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # 3.23.0
         with:
           sarif_file: results.sarif