You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by pk...@apache.org on 2023/12/27 08:53:06 UTC
(logging-log4j2) branch 2.x updated: Fix Scorecards action
This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/2.x by this push:
new fef55533c2 Fix Scorecards action
fef55533c2 is described below
commit fef55533c26e0c1c246f6e4794de5d28891b464f
Author: Piotr P. Karwasz <pi...@karwasz.org>
AuthorDate: Wed Dec 27 09:52:57 2023 +0100
Fix Scorecards action
---
.github/workflows/scorecards-analysis.yaml | 39 +++++++++++++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml
index 7081045221..f4eeab95d0 100644
--- a/.github/workflows/scorecards-analysis.yaml
+++ b/.github/workflows/scorecards-analysis.yaml
@@ -15,6 +15,10 @@
# limitations under the License.
#
+##
+# WARNING: due to a difference in the name of the main branch in
+# `logging-parent` and this repo, Scorecard fails if we use reusable workflows.
+##
name: scorecards-analysis
on:
@@ -29,10 +33,43 @@ permissions: read-all
jobs:
analysis:
- uses: apache/logging-parent/.github/workflows/scorecards-analysis-reusable.yaml@rel/10.5.0
+
+ name: "Scorecards analysis"
+ runs-on: ubuntu-latest
permissions:
# Needed to upload the results to the code-scanning dashboard.
security-events: write
actions: read
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
+
+ steps:
+
+ - name: "Checkout code"
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # 4.1.1
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # 2.3.1
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # A read-only PAT token, which is sufficient for the action to function.
+ # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188
+ repo_token: ${{ secrets.GITHUB_TOKEN }}
+ # Publish the results for public repositories to enable scorecard badges.
+ # For more details: https://github.com/ossf/scorecard-action#publishing-results
+ publish_results: true
+
+ - name: "Upload artifact"
+ uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # 3.1.0
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ - name: "Upload to code-scanning"
+ uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # 2.1.22
+ with:
+ sarif_file: results.sarif