Added the scorecard github action and its badge #10421
Conversation
Signed-off-by: harshitasao <[email protected]>
| on: | ||
| # For Branch-Protection check. Only the default branch is supported. See | ||
| # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | ||
| branch_protection_rule: |
There was a problem hiding this comment.
Is this expected to have no value?
| # To guarantee Maintained check is occasionally updated. See | ||
| # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | ||
| schedule: | ||
| - cron: '39 7 * * 6' |
There was a problem hiding this comment.
Any reason for choosing this particular time (it seems to be 7:39)? I assume having a different run time on different repo helps to not overload the servers. But I wonder if some comment explaining it would help to avoid someone changing it in the future?
There was a problem hiding this comment.
The time is generated by the scorecard github action; it is chosen randomly.
I think if it will be executed even as part of the this PR when the cron expression is removed, but I am not sure. At least when I was adding some GA in different repos it worked like that when I didnt have there cron trigger. |
.github/workflows/scorecards.yml
Outdated
| id-token: write | ||
| # Uncomment the permissions below if installing in a private repository. | ||
| # contents: read | ||
| # actions: read |
There was a problem hiding this comment.
this is not a private repo I guess we can remove this line. It seems they are coming from a template you are adapting here but we can remove what we don't need I guess, or?
| # - you want to enable the Branch-Protection check on a *public* repository, or | ||
| # - you are installing Scorecard on a *private* repository | ||
| # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. | ||
| # repo_token: ${{ secrets.SCORECARD_TOKEN }} |
There was a problem hiding this comment.
The comment says "you want to enable the Branch-Protection check on a public repository" so should we uncomment this repo_token. AFAIU we are enabling the branch protection due to the first branch_protection_rule field (even if it's empty, see Jakub's question).
There was a problem hiding this comment.
Branch-Protection doesn’t work when running the Scorecard Action. Or, rather, we’d need to feed it a GitHub Personal Access Token (PAT), and the risks should the PAT ever leak are greater than the benefit we get from having the Action run the check, so Scorecard itself recommends against giving a PAT.
There was a problem hiding this comment.
Sorry I didn't get you. So is branch protection enabled or not via your contribution? What about the branch_protection_rule: field?
.github/workflows/scorecards.yml
Outdated
| # - See https://github.com/ossf/scorecard-action#publishing-results. | ||
| # For private repositories: | ||
| # - `publish_results` will always be set to `false`, regardless | ||
| # of the value entered here. |
There was a problem hiding this comment.
again I would just delete this comment about private repositories.
Signed-off-by: harshitasao <[email protected]>
|
@ppatierno is this fine with you now? |
|
Thanks for the PR @harshitasao |
Type of change
Description
PR to add the Scorecard GitHub Action and its badge in the README file.
Fixes #10342
Checklist
Please go through this checklist and make sure all applicable tasks have been done