This is an automated email from the ASF dual-hosted git repository.
ppkarwasz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-parent.git
The following commit(s) were added to refs/heads/master by this push:
new 8e38ea1 feat: Add reusable `scorecards-analysis-reusable.yml`
workflow (#700)
8e38ea1 is described below
commit 8e38ea162b6f3c795c4fd7aa72cc416f03389e5e
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Wed May 13 00:34:44 2026 +0200
feat: Add reusable `scorecards-analysis-reusable.yml` workflow (#700)
Similar to #699, adds a reusable Scorecard analysis workflow and
refactors `scorecards-analysis.yml` to call it.
Unlike the CodeQL workflow, which only relies on actions from
GitHub-owned organisations (`github` and `actions`), this one uses a
third-party action (`ossf/scorecard-action`) that needs to be upgraded
in a timely manner. The usual process is:
1. A new version of the action is released.
2. The action is reviewed in `infrastructure-actions` and the new SHA
is added to the authorized ones.
3. The old SHA is scheduled for removal.
We need to perform the upgrade between steps 2 and 3, so we should
configure Dependabot to bump this action weekly with a 7-day cooldown
(step 2 occurs within 7 days of a new release).
---
.github/workflows/README.md | 50 ++++++++++++++++++++++
...alysis.yml => scorecards-analysis-reusable.yml} | 27 +++++-------
.github/workflows/scorecards-analysis.yml | 49 ++++-----------------
3 files changed, 69 insertions(+), 57 deletions(-)
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index 66e4950..6d64396 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -74,3 +74,53 @@ jobs:
contents: read
security-events: write
```
+
+## Scorecards (`scorecards-analysis-reusable.yml`)
+
+Runs an [OpenSSF Scorecard](https://securityscorecards.dev/) analysis and
uploads the results to
+GitHub's code-scanning dashboard.
+For public repositories, the results are also published to the Scorecard API,
enabling the
+Scorecard badge.
+
+This workflow has no inputs.
+
+### Required permissions
+
+In addition to uploading results to the code-scanning dashboard
(`security-events: write`),
+the workflow authenticates with securityscorecards.dev using an OIDC token
(`id-token: write`).
+The caller job must grant:
+
+```yaml
+permissions:
+ actions: read
+ contents: read
+ security-events: write
+ id-token: write
+```
+
+### Usage example
+
+```yaml
+name: Scorecards
+
+on:
+ branch_protection_rule:
+ schedule:
+ - cron: '30 1 * * 6' # Randomize this expression
+ push:
+ branches: [ "master" ]
+
+# Explicitly drop all permissions for security.
+permissions: { }
+
+jobs:
+ scorecards:
+ # Intentionally not pinned: maintained by the same PMC.
+ uses:
apache/commons-parent/.github/workflows/scorecards-analysis-reusable.yml@master
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ id-token: write
+```
+
diff --git a/.github/workflows/scorecards-analysis.yml
b/.github/workflows/scorecards-analysis-reusable.yml
similarity index 73%
copy from .github/workflows/scorecards-analysis.yml
copy to .github/workflows/scorecards-analysis-reusable.yml
index 2eed26f..a7a8dde 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis-reusable.yml
@@ -13,29 +13,25 @@
# See the license for the specific language governing permissions and
# limitations under the license.
-name: "Scorecards supply-chain security"
+name: Scorecards
on:
- branch_protection_rule:
- schedule:
- - cron: "30 1 * * 6" # Weekly on Saturdays
- push:
- branches: [ "master" ]
+ workflow_call: { }
-permissions: read-all
+# Explicitly drop all permissions inherited from the caller for security.
+permissions: { }
jobs:
- analysis:
-
- name: "Scorecards analysis"
+ scorecards-analysis:
runs-on: ubuntu-latest
permissions:
+ actions: read
+ contents: read
# Needed to upload the results to the code-scanning dashboard.
security-events: write
- actions: read
- id-token: write # This is required for requesting the JWT
- contents: read # This is required for actions/checkout
+ # Needed to sign the results using Fulcio
+ id-token: write
steps:
@@ -49,11 +45,8 @@ jobs:
with:
results_file: results.sarif
results_format: sarif
- # A read-only PAT token, which is sufficient for the action to
function.
- # The relevant discussion:
https://github.com/ossf/scorecard-action/issues/188
- repo_token: ${{ secrets.GITHUB_TOKEN }}
+ repo_token: ${{ github.token }}
# Publish the results for public repositories to enable scorecard
badges.
- # For more details:
https://github.com/ossf/scorecard-action#publishing-results
publish_results: true
- name: "Upload artifact"
diff --git a/.github/workflows/scorecards-analysis.yml
b/.github/workflows/scorecards-analysis.yml
index 2eed26f..120e3a7 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@@ -21,49 +21,18 @@ on:
- cron: "30 1 * * 6" # Weekly on Saturdays
push:
branches: [ "master" ]
+ # For testing purposes
+ workflow_dispatch: { }
-permissions: read-all
+# Explicitly drop all permissions for security.
+permissions: { }
jobs:
- analysis:
-
- name: "Scorecards analysis"
- runs-on: ubuntu-latest
+ scorecards-analysis:
+ uses: ./.github/workflows/scorecards-analysis-reusable.yml
permissions:
- # Needed to upload the results to the code-scanning dashboard.
- security-events: write
actions: read
- id-token: write # This is required for requesting the JWT
- contents: read # This is required for actions/checkout
-
- steps:
-
- - name: "Checkout code"
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
6.0.2
- with:
- persist-credentials: false
-
- - name: "Run analysis"
- uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
# 2.4.3
- with:
- results_file: results.sarif
- results_format: sarif
- # A read-only PAT token, which is sufficient for the action to
function.
- # The relevant discussion:
https://github.com/ossf/scorecard-action/issues/188
- repo_token: ${{ secrets.GITHUB_TOKEN }}
- # Publish the results for public repositories to enable scorecard
badges.
- # For more details:
https://github.com/ossf/scorecard-action#publishing-results
- publish_results: true
-
- - name: "Upload artifact"
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
# v7.0.1
- with:
- name: SARIF file
- path: results.sarif
- retention-days: 5
-
- - name: "Upload to code-scanning"
- uses:
github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e #
v4.35.4
- with:
- sarif_file: results.sarif
+ contents: read
+ security-events: write
+ id-token: write
