File tree Expand file tree Collapse file tree 1 file changed +9
-4
lines changed Expand file tree Collapse file tree 1 file changed +9
-4
lines changed Original file line number Diff line number Diff line change @@ -8,10 +8,15 @@ The Scorecards GitHub Action is free for all public repositories. Private reposi
88
99## Breaking changes in v2
1010
11- Starting from scorecard-action: v2 , ` GITHUB_TOKEN ` permissions needs to incude
12- ` token_id: write ` for ` publish_results: true ` . This is needed to access GitHub's
13- OIDC token whuch verifies the authenticity of the result when publishing it.
14-
11+ Starting from scorecard-action: v2 , ` GITHUB_TOKEN ` permissions or job permissions needs to incude
12+ ` id-token: write ` for ` publish_results: true ` . This is needed to access GitHub's
13+ OIDC token which verifies the authenticity of the result when publishing it.
14+
15+ scorecard-action: v2 also requires that the steps in the job running ossf/scorecard-action step
16+ only belong to an approved list of GitHub actions - "actions/checkout", "actions/upload-artifact", "github/codeql-action/upload-sarif".
17+ We understand that this is restrictive but currently this is needed given that GitHub workflow steps belonging to a job
18+ run in the same environment. To ensure the integrity of the results we publish, we are currently making this restriction a requirement
19+ while we work on making this feature more flexible without needing these restrictions.
1520________
1621[ Installation] ( #installation )
1722- [ Authentication] ( #authentication-with-pat )
You can’t perform that action at this time.
0 commit comments