This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-parent.git
The following commit(s) were added to refs/heads/main by this push:
new 1095045 Add Scorecards analysis
1095045 is described below
commit 10950459f64e43dc4aa09850624595a66b0be478
Author: Piotr P. Karwasz <piotr.git...@karwasz.org>
AuthorDate: Wed Oct 11 21:01:00 2023 +0200
Add Scorecards analysis
---
.../workflows/scorecards-analysis-reusable.yaml | 64 ++++++++++++++++++++++
1 file changed, 64 insertions(+)
diff --git a/.github/workflows/scorecards-analysis-reusable.yaml
b/.github/workflows/scorecards-analysis-reusable.yaml
new file mode 100644
index 0000000..22b1621
--- /dev/null
+++ b/.github/workflows/scorecards-analysis-reusable.yaml
@@ -0,0 +1,64 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: scorecards-analysis
+
+on:
+ workflow_call:
+ inputs:
+ java-version:
+ description: The Java compiler version
+ default: 17
+ type: string
+
+jobs:
+
+ analysis:
+
+ name: "Scorecards analysis"
+ runs-on: ubuntu-latest
+
+ steps:
+
+ - name: "Checkout code"
+ uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #
4.1.0
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031
# 2.2.0
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # A read-only PAT token, which is sufficient for the action to
function.
+ # The relevant discussion:
https://github.com/ossf/scorecard-action/issues/188
+ repo_token: ${{ secrets.GITHUB_TOKEN }}
+ # Publish the results for public repositories to enable scorecard
badges.
+ # For more details:
https://github.com/ossf/scorecard-action#publishing-results
+ publish_results: true
+
+ - name: "Upload artifact"
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
# 3.1.0
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ - name: "Upload to code-scanning"
+ uses:
github/codeql-action/upload-sarif@2cb752a87e96af96708ab57187ab6372ee1973ab #
2.1.22
+ with:
+ sarif_file: results.sarif
