.github/workflows/scorecard.yml

name: Scorecard Supply-chain Security

on:
  branch_protection_rule:
  push:
    branches: [ "main" ]
  schedule:
    - cron: '0 0 * * *'

### Ensures that only one CI task per branch/environment will run at a time ###
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      id-token: write

    steps:
      - name: Checkout code
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          persist-credentials: false

      - name: Run analysis
        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
        with:
          results_file: scorecard-results.sarif
          results_format: sarif
          publish_results: true

      - name: Upload DevSkim scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
        if: always()
        with:
          sarif_file: scorecard-results.sarif
          wait-for-processing: true