Skip to content

Fix Scorecard SARIF publication#29

Merged
krotname merged 1 commit into
masterfrom
feature/scorecard-action-sarif-20260621
Jun 21, 2026
Merged

Fix Scorecard SARIF publication#29
krotname merged 1 commit into
masterfrom
feature/scorecard-action-sarif-20260621

Conversation

@krotname

Copy link
Copy Markdown
Owner

Summary

  • use pinned ossf/scorecard-action for SARIF output
  • grant OIDC permission required by publish_results
  • upload Scorecard SARIF to Code Scanning

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c92fad385b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

--output="scorecard-results.sarif" \
--show-details
- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Guard Scorecard action to the default branch

With the existing workflow_dispatch trigger, this step can be manually run on any branch, but ossf/scorecard-action@v2.4.3 rejects non-default refs before writing scorecard-results.sarif (the run for this patch on feature/scorecard-action-sarif-20260621 failed with Only the default branch master is supported). The CLI path this replaces passed --commit="$GITHUB_SHA" and could analyze arbitrary refs, so manual branch runs now fail and never upload SARIF/artifacts; either restrict the job to refs/heads/master or keep a non-default-branch path that does not use this action.

Useful? React with 👍 / 👎.

@krotname krotname merged commit d007165 into master Jun 21, 2026
13 of 14 checks passed
@krotname krotname deleted the feature/scorecard-action-sarif-20260621 branch June 21, 2026 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant