Update npm deps #83
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scorecard supply-chain security | |
| on: | |
| push: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: 0 1 * * MON | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#concurrency | |
| # Concurrent workflows are grouped by the PR or branch that triggered them | |
| # (github.ref) and the name of the workflow (github.workflow). The | |
| # 'cancel-in-progress' option then make sure that only one workflow is running | |
| # at a time. This doesn't prevent new jobs from running, rather it cancels | |
| # already running jobs before scheduling new jobs. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' || github.sha }} | |
| cancel-in-progress: true | |
| permissions: read-all | |
| jobs: | |
| scorecard-analysis: | |
| name: Scorecard analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| security-events: write | |
| steps: | |
| - name: Checkout tree | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| persist-credentials: false | |
| - name: Run analysis | |
| uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 #v2.2.0 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| retention-days: 7 | |
| - name: Upload to code-scanning | |
| uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 | |
| with: | |
| sarif_file: results.sarif |