Scorecard supply-chain security #9

	# Copyright (c) 2024 Intel Corporation
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	# This workflow uses actions that are not certified by GitHub. They are provided
	# by a third-party and are governed by separate terms of service, privacy
	# policy, and support documentation.

	name: Scorecard supply-chain security
	on:
	branch_protection_rule:
	schedule:
	- cron: '0 6 * * 0'
	push:
	branches: [ "main" ]
	workflow_dispatch:
	permissions: read-all
	jobs:
	analysis:
	name: Scorecard analysis
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	id-token: write
	contents: read
	actions: read
	steps:
	- uses: step-security/harden-runner@v2
	with:
	egress-policy: audit
	- uses: actions/checkout@v4
	with:
	persist-credentials: false
	- uses: ossf/[email protected]
	with:
	results_file: results.sarif
	results_format: sarif
	repo_token: ${{ secrets.ACTION_TOKEN }}
	publish_results: true
	- uses: actions/upload-artifact@v3
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 5
	- uses: github/codeql-action/[email protected]
	with:
	sarif_file: results.sarif

Provide feedback