flux2/.github/workflows/ossf.yaml

name: ossf
on:
  workflow_dispatch:
  push:
    branches:
      - main
  schedule:
    # Weekly on Saturdays.
    - cron:  '30 1 * * 6'

permissions: read-all

jobs:
  scorecard:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      id-token: write
      actions: read
      contents: read
    steps:
      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
      - name: Run analysis
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
        with:
          sarif_file: results.sarif
Add OSSF Scorecard Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`name: ossf`
			`on:`
			`workflow_dispatch:`
			`push:`
			`branches:`
			`- main`
			`schedule:`
			`# Weekly on Saturdays.`
			`- cron: '30 1 * * 6'`

			`permissions: read-all`

			`jobs:`
			`scorecard:`
			`runs-on: ubuntu-latest`
			`permissions:`
			`security-events: write`
			`id-token: write`
			`actions: read`
			`contents: read`
			`steps:`
build(deps): bump the ci group across 1 directory with 6 updates Bumps the ci group with 6 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [actions/checkout](https://github.com/actions/checkout) \| `4.1.7` \| `4.2.0` \| \| [fluxcd/pkg](https://github.com/fluxcd/pkg) \| `e40e7ed2bc31c6b6e36d263b6299e5082d9fef12` \| `30c101fc7c9fac4d84937ff4890a3da46a9db2dd` \| \| [Azure/login](https://github.com/azure/login) \| `2.1.1` \| `2.2.0` \| \| [actions/upload-artifact](https://github.com/actions/upload-artifact) \| `4.3.6` \| `4.4.0` \| \| [github/codeql-action](https://github.com/github/codeql-action) \| `3.26.5` \| `3.26.9` \| \| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) \| `6.1.0` \| `7.0.5` \| Updates `actions/checkout` from 4.1.7 to 4.2.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) Updates `fluxcd/pkg` from e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 to 30c101fc7c9fac4d84937ff4890a3da46a9db2dd - [Commits](https://github.com/fluxcd/pkg/compare/e40e7ed2bc31c6b6e36d263b6299e5082d9fef12...30c101fc7c9fac4d84937ff4890a3da46a9db2dd) Updates `Azure/login` from 2.1.1 to 2.2.0 - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/6c251865b4e6290e7b78be643ea2d005bc51f69a...a65d910e8af852a8061c627c456678983e180302) Updates `actions/upload-artifact` from 4.3.6 to 4.4.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/834a144ee995460fba8ed112a2fc961b36a5ec5a...50769540e7f4bd5e21e526ee35c689e35e0d6874) Updates `github/codeql-action` from 3.26.5 to 3.26.9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2c779ab0d087cd7fe7b826087247c2c81f27bfa6...461ef6c76dfe95d5c364de2f431ddbd31a417628) Updates `peter-evans/create-pull-request` from 6.1.0 to 7.0.5 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c5a7806660adbe173f04e3e038b0ccdcd758773c...5e914681df9dc83aa4e4905692ca88beb2f9e91f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: fluxcd/pkg dependency-type: direct:production dependency-group: ci - dependency-name: Azure/login dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com> 4 months ago			`- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0`
Add OSSF Scorecard Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`- name: Run analysis`
build(deps): bump the ci group across 1 directory with 13 updates Bumps the ci group with 13 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [actions/checkout](https://github.com/actions/checkout) \| `4.1.6` \| `4.1.7` \| \| [actions/setup-go](https://github.com/actions/setup-go) \| `5.0.1` \| `5.0.2` \| \| [google-github-actions/auth](https://github.com/google-github-actions/auth) \| `2.1.3` \| `2.1.4` \| \| [google-github-actions/setup-gcloud](https://github.com/google-github-actions/setup-gcloud) \| `2.1.0` \| `2.1.1` \| \| [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) \| `3.0.0` \| `3.2.0` \| \| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) \| `3.3.0` \| `3.6.1` \| \| [docker/login-action](https://github.com/docker/login-action) \| `3.2.0` \| `3.3.0` \| \| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) \| `2.3.3` \| `2.4.0` \| \| [actions/upload-artifact](https://github.com/actions/upload-artifact) \| `4.3.3` \| `4.3.6` \| \| [github/codeql-action](https://github.com/github/codeql-action) \| `3.25.8` \| `3.26.1` \| \| [anchore/sbom-action](https://github.com/anchore/sbom-action) \| `0.16.0` \| `0.17.1` \| \| [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) \| `3.5.0` \| `3.6.0` \| \| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) \| `6.0.5` \| `6.1.0` \| Updates `actions/checkout` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) Updates `actions/setup-go` from 5.0.1 to 5.0.2 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/cdcb36043654635271a94b9a6d1392de5bb323a7...0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32) Updates `google-github-actions/auth` from 2.1.3 to 2.1.4 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/71fee32a0bb7e97b4d33d548e7d957010649d8fa...f112390a2df9932162083945e46d439060d66ec2) Updates `google-github-actions/setup-gcloud` from 2.1.0 to 2.1.1 - [Release notes](https://github.com/google-github-actions/setup-gcloud/releases) - [Changelog](https://github.com/google-github-actions/setup-gcloud/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/setup-gcloud/compare/98ddc00a17442e89a24bbf282954a3b65ce6d200...f0990588f1e5b5af6827153b93673613abdc6ec7) Updates `docker/setup-qemu-action` from 3.0.0 to 3.2.0 - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/68827325e0b33c7199eb31dd4e31fbe9023e06e3...49b3bc8e6bdd4a60e6116a5414239cba5943d3cf) Updates `docker/setup-buildx-action` from 3.3.0 to 3.6.1 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/d70bba72b1f3fd22344832f00baa16ece964efeb...988b5a0280414f521da01fcc63a27aeeb4b104db) Updates `docker/login-action` from 3.2.0 to 3.3.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/0d4c9c5ea7693da7b068278f7b52bda2a190a446...9780b0c442fbb1117ed29e0efdff1e18412f7567) Updates `ossf/scorecard-action` from 2.3.3 to 2.4.0 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46) Updates `actions/upload-artifact` from 4.3.3 to 4.3.6 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...834a144ee995460fba8ed112a2fc961b36a5ec5a) Updates `github/codeql-action` from 3.25.8 to 3.26.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2e230e8fe0ad3a14a340ad0815ddb96d599d2aff...29d86d22a34ea372b1bbf3b2dced2e25ca6b3384) Updates `anchore/sbom-action` from 0.16.0 to 0.17.1 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/e8d2a6937ecead383dfe75190d104edd1f9c5751...ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57) Updates `sigstore/cosign-installer` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/59acb6260d9c0ba8f4a2f9d9b48431a222b68e20...4959ce089c160fddf62f7b42464195ba1a56d382) Updates `peter-evans/create-pull-request` from 6.0.5 to 6.1.0 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/6d6857d36972b65feb161a90e484f2984215f83e...c5a7806660adbe173f04e3e038b0ccdcd758773c) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: google-github-actions/setup-gcloud dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com> 5 months ago			`uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0`
Add OSSF Scorecard Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`with:`
			`results_file: results.sarif`
			`results_format: sarif`
			`repo_token: ${{ secrets.GITHUB_TOKEN }}`
			`publish_results: true`
			`- name: Upload artifact`
build(deps): bump the ci group across 1 directory with 6 updates Bumps the ci group with 6 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [actions/checkout](https://github.com/actions/checkout) \| `4.1.7` \| `4.2.0` \| \| [fluxcd/pkg](https://github.com/fluxcd/pkg) \| `e40e7ed2bc31c6b6e36d263b6299e5082d9fef12` \| `30c101fc7c9fac4d84937ff4890a3da46a9db2dd` \| \| [Azure/login](https://github.com/azure/login) \| `2.1.1` \| `2.2.0` \| \| [actions/upload-artifact](https://github.com/actions/upload-artifact) \| `4.3.6` \| `4.4.0` \| \| [github/codeql-action](https://github.com/github/codeql-action) \| `3.26.5` \| `3.26.9` \| \| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) \| `6.1.0` \| `7.0.5` \| Updates `actions/checkout` from 4.1.7 to 4.2.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) Updates `fluxcd/pkg` from e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 to 30c101fc7c9fac4d84937ff4890a3da46a9db2dd - [Commits](https://github.com/fluxcd/pkg/compare/e40e7ed2bc31c6b6e36d263b6299e5082d9fef12...30c101fc7c9fac4d84937ff4890a3da46a9db2dd) Updates `Azure/login` from 2.1.1 to 2.2.0 - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/6c251865b4e6290e7b78be643ea2d005bc51f69a...a65d910e8af852a8061c627c456678983e180302) Updates `actions/upload-artifact` from 4.3.6 to 4.4.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/834a144ee995460fba8ed112a2fc961b36a5ec5a...50769540e7f4bd5e21e526ee35c689e35e0d6874) Updates `github/codeql-action` from 3.26.5 to 3.26.9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2c779ab0d087cd7fe7b826087247c2c81f27bfa6...461ef6c76dfe95d5c364de2f431ddbd31a417628) Updates `peter-evans/create-pull-request` from 6.1.0 to 7.0.5 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c5a7806660adbe173f04e3e038b0ccdcd758773c...5e914681df9dc83aa4e4905692ca88beb2f9e91f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: fluxcd/pkg dependency-type: direct:production dependency-group: ci - dependency-name: Azure/login dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com> 4 months ago			`uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0`
Add OSSF Scorecard Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`with:`
			`name: SARIF file`
			`path: results.sarif`
			`retention-days: 5`
			`- name: Upload SARIF results`
build(deps): bump the ci group across 1 directory with 6 updates Bumps the ci group with 6 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [actions/checkout](https://github.com/actions/checkout) \| `4.1.7` \| `4.2.0` \| \| [fluxcd/pkg](https://github.com/fluxcd/pkg) \| `e40e7ed2bc31c6b6e36d263b6299e5082d9fef12` \| `30c101fc7c9fac4d84937ff4890a3da46a9db2dd` \| \| [Azure/login](https://github.com/azure/login) \| `2.1.1` \| `2.2.0` \| \| [actions/upload-artifact](https://github.com/actions/upload-artifact) \| `4.3.6` \| `4.4.0` \| \| [github/codeql-action](https://github.com/github/codeql-action) \| `3.26.5` \| `3.26.9` \| \| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) \| `6.1.0` \| `7.0.5` \| Updates `actions/checkout` from 4.1.7 to 4.2.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) Updates `fluxcd/pkg` from e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 to 30c101fc7c9fac4d84937ff4890a3da46a9db2dd - [Commits](https://github.com/fluxcd/pkg/compare/e40e7ed2bc31c6b6e36d263b6299e5082d9fef12...30c101fc7c9fac4d84937ff4890a3da46a9db2dd) Updates `Azure/login` from 2.1.1 to 2.2.0 - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/6c251865b4e6290e7b78be643ea2d005bc51f69a...a65d910e8af852a8061c627c456678983e180302) Updates `actions/upload-artifact` from 4.3.6 to 4.4.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/834a144ee995460fba8ed112a2fc961b36a5ec5a...50769540e7f4bd5e21e526ee35c689e35e0d6874) Updates `github/codeql-action` from 3.26.5 to 3.26.9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2c779ab0d087cd7fe7b826087247c2c81f27bfa6...461ef6c76dfe95d5c364de2f431ddbd31a417628) Updates `peter-evans/create-pull-request` from 6.1.0 to 7.0.5 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c5a7806660adbe173f04e3e038b0ccdcd758773c...5e914681df9dc83aa4e4905692ca88beb2f9e91f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: fluxcd/pkg dependency-type: direct:production dependency-group: ci - dependency-name: Azure/login dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com> 4 months ago			`uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9`
Add OSSF Scorecard Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`with:`
			`sarif_file: results.sarif`