booster icon indicating copy to clipboard operation
booster copied to clipboard
verified publisher icon didi

config scorecards

Open carpenter79 opened this issue 7 months ago • 1 comments

scorecard https://github.com/didi/booster/issues/486

carpenter79 avatar Jun 10 '25 08:06 carpenter79

PR Summary

  • Introduction of a new security workflow A new workflow utilizing GitHub Actions has been added. It focuses on enhancing supply-chain security analysis. The workflow is located in a configuration file called scorecard.yml.

  • Workflow activation settings The security workflow has been set up to initiate whenever branch protection rule events occur or every week on a fixed schedule.

  • Job permissions The rights for this workflow have been established. They encompass security-events to allow for the upload of result information and id-token to facilitate the publication of results.

  • Workflow steps The workflow includes specific steps to check the recent code, perform Scorecard analysis on it, and then upload the results of the analysis for further review. It also uploads these results to GitHub's Code Scanning Dashboard, a tool for observing the security of code.

  • Public result publishing The workflow is enabled to publish results publicly, meaning that they can be accessible in public repositories. This feature comes with additional configurations to handle optional repository tokens and artifact uploads.

what-the-diff[bot] avatar Jun 10 '25 08:06 what-the-diff[bot]