Nigel Jones

> > However it is being used to generate our code > > Could you please elaborate on this @planetf1 ? I'm not sure I understand how a CI image...

@baentsch many thanks for the comments!

PR updated - only generates .sarif file, and runs on both PRs and merges to main - can review the sarif file and decide if we want to push to...

Example sarif file can be found as attachment on https://github.com/open-quantum-safe/liboqs/actions/runs/8066088271?pr=1708

In the scan above, we have two categories of issues reported: * [Token Permissions](https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#token-permissions) - recommending some refinements to permissions for the github actions To fix these carries some risk...

Rebased, to review current findings and correct.

Update on this PR - good things - added pinned SHAs for github actions - this seems to work, and pass the scorecard tests - added explicit permissions for github...

Pip requirements.txt install was failing in the build since once shas are used, ALL dependencies need to be listed (resursively) and a few were missing. fixed by * installing the...

@baentsch the checks are nearly clean, with the only OSSF negative points (score 8/10) caused by: ``` run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --break-system-packages pytest pytest-xdist pyyaml...

The mac builds are using Python 3.12.x whilst the Windows build is using 3.9.x -- this is why the dependencies resolve differently. These versions are the standard, supplied, python versions...