1  name: Scorecard
 2  on:
 3    branch_protection_rule: {}
 4    schedule:
 5      - cron: "28 23 * * 6"
 6    pull_request:
 7      branches: [main]
 8    push:
 9      branches: [main]
10  
11  permissions: read-all
12  
13  jobs:
14    analysis:
15      name: Scorecard
16      runs-on: ubuntu-latest
17      if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
18      permissions:
19        security-events: write
20        id-token: write
21  
22      steps:
23        - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
24          with:
25            persist-credentials: false
26  
27        - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
28          with:
29            results_file: results.sarif
30            results_format: sarif
31            publish_results: true
32  
33        - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
34          with:
35            name: SARIF file
36            path: results.sarif
37            retention-days: 5
38  
39        - uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
40          with:
41            sarif_file: results.sarif