You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by gg...@apache.org on 2022/03/05 18:55:50 UTC
[commons-configuration] branch master updated: Drop OSSF Scorecards due to token requirement. Note that CodeQL has no such complications, so why here?
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-configuration.git
The following commit(s) were added to refs/heads/master by this push:
new 4c8d189 Drop OSSF Scorecards due to token requirement. Note that CodeQL has no such complications, so why here?
4c8d189 is described below
commit 4c8d18941fb97dfb2eb23a3fda21836ecd86481e
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Sat Mar 5 13:55:47 2022 -0500
Drop OSSF Scorecards due to token requirement. Note that CodeQL has no
such complications, so why here?
---
.github/workflows/scorecards.yml | 70 ----------------------------------------
1 file changed, 70 deletions(-)
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
deleted file mode 100644
index e79ecb3..0000000
--- a/.github/workflows/scorecards.yml
+++ /dev/null
@@ -1,70 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-name: Scorecards supply-chain security
-on:
- # Only the default branch is supported.
- branch_protection_rule:
- schedule:
- - cron: '24 4 * * 1'
- push:
- branches: [ master ]
-
-# Declare default permissions as read only.
-permissions: read-all
-
-jobs:
- analysis:
- name: Scorecards analysis
- runs-on: ubuntu-latest
- permissions:
- # Needed to upload the results to code-scanning dashboard.
- security-events: write
- actions: read
- contents: read
-
- steps:
- - name: "Checkout code"
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- with:
- persist-credentials: false
-
- - name: "Run analysis"
- uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
- with:
- results_file: results.sarif
- results_format: sarif
- # Read-only PAT token. To create it,
- # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
- repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
- # Publish the results to enable scorecard badges. For more details, see
- # https://github.com/ossf/scorecard-action#publishing-results.
- # For private repositories, `publish_results` will automatically be set to `false`,
- # regardless of the value entered here.
- publish_results: true
-
- # Upload the results as artifacts (optional).
- - name: "Upload artifact"
- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
- with:
- name: SARIF file
- path: results.sarif
- retention-days: 5
-
- # Upload the results to GitHub's code scanning dashboard.
- - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
- with:
- sarif_file: results.sarif