.github/workflows/openssf-scorecard.yml

# Copyright (c) Omar Boukli-Hacene. All rights reserved.
# Distributed under an MIT-style license that can be
# found in the LICENSE file.

# SPDX-License-Identifier: MIT

name: OpenSSF Scorecard supply chain security analysis

on:
  branch_protection_rule:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
  schedule:
    - cron: 33 1 * * 6

permissions: {}

jobs:
  analyze:
    name: Run OpenSSF Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Check out repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Run analysis
        uses: ossf/scorecard-action@v2.4.0
        with:
          results_file: openssf-scorecard.sarif
          results_format: sarif

      - name: Report analysis results to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: openssf-scorecard.sarif