You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by pk...@apache.org on 2023/12/27 08:53:06 UTC

(logging-log4j2) branch 2.x updated: Fix Scorecards action

This is an automated email from the ASF dual-hosted git repository.

pkarwasz pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/2.x by this push:
     new fef55533c2 Fix Scorecards action
fef55533c2 is described below

commit fef55533c26e0c1c246f6e4794de5d28891b464f
Author: Piotr P. Karwasz <pi...@karwasz.org>
AuthorDate: Wed Dec 27 09:52:57 2023 +0100

    Fix Scorecards action
---
 .github/workflows/scorecards-analysis.yaml | 39 +++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml
index 7081045221..f4eeab95d0 100644
--- a/.github/workflows/scorecards-analysis.yaml
+++ b/.github/workflows/scorecards-analysis.yaml
@@ -15,6 +15,10 @@
 # limitations under the License.
 #
 
+##
+# WARNING: due to a difference in the name of the main branch in
+# `logging-parent` and this repo, Scorecard fails if we use reusable workflows.
+##
 name: scorecards-analysis
 
 on:
@@ -29,10 +33,43 @@ permissions: read-all
 jobs:
 
   analysis:
-    uses: apache/logging-parent/.github/workflows/scorecards-analysis-reusable.yaml@rel/10.5.0
+
+    name: "Scorecards analysis"
+    runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to the code-scanning dashboard.
       security-events: write
       actions: read
       id-token: write # This is required for requesting the JWT
       contents: read  # This is required for actions/checkout
+
+    steps:
+
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11   # 4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736    # 2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # A read-only PAT token, which is sufficient for the action to function.
+          # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          # Publish the results for public repositories to enable scorecard badges.
+          # For more details: https://github.com/ossf/scorecard-action#publishing-results
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392    # 3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c    # 2.1.22
+        with:
+          sarif_file: results.sarif