regclient/.github/workflows/scorecard.yml

name: Scorecard analysis workflow
on:
  branch_protection_rule:
  schedule:
    - cron: '0 07 * * 0'
  push:
    branches: [ main ]
  workflow_dispatch:

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      security-events: write # Needed if using Code scanning alerts
      id-token: write # Needed for GitHub OIDC token when publishing results

    steps:
      - name: "Checkout code"
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          # Publish the results for public repositories to enable scorecard badges.
          publish_results: true
          # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
          # repo_token: ${{ secrets.SCORECARD_TOKEN }}

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      # - name: "Upload artifact"
      #   uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
      #   with:
      #     name: SARIF file
      #     path: results.sarif
      #     retention-days: 5

      # required for Code scanning alerts
      - name: "Upload SARIF results to code scanning"
        uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
        with:
          sarif_file: results.sarif