You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+24-23Lines changed: 24 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,6 +30,7 @@ ________
30
30
[Manual Action Setup](#manual-action-setup)
31
31
-[Inputs](#inputs)
32
32
-[Publishing Results](#publishing-results)
33
+
-[Workflow Restrictions](#workflow-restrictions)
33
34
-[Uploading Artifacts](#uploading-artifacts)
34
35
-[Workflow Example](#workflow-example)
35
36
________
@@ -108,29 +109,6 @@ Create a Personal Access Token (PAT) for authentication and save the token value
108
109
109
110
4. (Optional) If you install Scorecard on a repository owned by an organization that uses [SAML SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on), be sure to [enable SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on) for your PAT token.
110
111
111
-
### Workflow Restrictions
112
-
113
-
If [publishing results](#publishing-results), Scorecard Action sends results to our API. Our API fetches the workflow used to send the scores and [enforces certain rules](https://github.com/ossf/scorecard-webapp/blob/9c2f66d5f6ff56ca4a4ac2fba6ec8dcc5379d31c/app/server/post_results.go#L184-L187), which may reject the results and cause the Scorecard Action run to fail.
114
-
We understand that this is restrictive, but currently it's necessary to ensure the integrity of our API dataset, since GitHub workflow steps run in the same environment as the job they belong to.
115
-
If possible, we will work on making this feature more flexible so we can drop this requirement in the future.
116
-
117
-
#### Global workflow restrictions
118
-
119
-
* The workflow can't contain top level env vars or defaults.
120
-
* No workflow level write permissions.
121
-
* Only the job with `ossf/scorecard-action` can use `id-token: write` permissions.
122
-
123
-
#### Restrictions on the job containing `ossf/scorecard-action`
124
-
* No job level env vars or defaults.
125
-
* No containers or services
126
-
* The job should run on one of the [Ubuntu hosted runners](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#choosing-github-hosted-runners)
127
-
* The steps running in this job must belong to this approved list of GitHub actions.
128
-
* "actions/checkout"
129
-
* "actions/upload-artifact"
130
-
* "github/codeql-action/upload-sarif"
131
-
* "ossf/scorecard-action"
132
-
* "step-security/harden-runner"
133
-
134
112
## View Results
135
113
136
114
The workflow is preconfigured to run on every repository contribution. After making a code change, you can view the results for the change either through the Scorecard Badge, Code Scanning Alerts or GitHub Workflow Runs.
@@ -194,6 +172,29 @@ Setting `publish_results: true` replaces the results of the team's weekly scans
194
172
helping us scale by cutting down on repeated workflows and GitHub API requests.
195
173
This option is also needed to enable badges on the repository.
196
174
175
+
### Workflow Restrictions
176
+
177
+
If [publishing results](#publishing-results), our API [enforces certain rules](https://github.com/ossf/scorecard-webapp/blob/9c2f66d5f6ff56ca4a4ac2fba6ec8dcc5379d31c/app/server/post_results.go#L184-L187) on the producing workflow, which may reject the results and cause the Scorecard Action run to fail.
178
+
We understand that this is restrictive, but currently it's necessary to ensure the integrity of our API dataset, since GitHub workflow steps run in the same environment as the job they belong to.
179
+
If possible, we will work on making this feature more flexible so we can drop this requirement in the future.
180
+
181
+
#### Global workflow restrictions
182
+
183
+
* The workflow can't contain top level env vars or defaults.
184
+
* No workflow level write permissions.
185
+
* Only the job with `ossf/scorecard-action` can use `id-token: write` permissions.
186
+
187
+
#### Restrictions on the job containing `ossf/scorecard-action`
188
+
* No job level env vars or defaults.
189
+
* No containers or services
190
+
* The job should run on one of the [Ubuntu hosted runners](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#choosing-github-hosted-runners)
191
+
* The steps running in this job must belong to this approved list of GitHub actions.
192
+
* "actions/checkout"
193
+
* "actions/upload-artifact"
194
+
* "github/codeql-action/upload-sarif"
195
+
* "ossf/scorecard-action"
196
+
* "step-security/harden-runner"
197
+
197
198
### Uploading Artifacts
198
199
The Scorecards Action uses the [artifact uploader action](https://github.com/actions/upload-artifact) to upload results in SARIF format to the Actions tab. These results are available to anybody for five days after the run to help with debugging. To disable the upload, comment out the `Upload Artifact` value in the Workflow Example.
0 commit comments