.github/workflows/scorecards.yml - third_party/openthread - Git at Google

 #
 #  Copyright (c) 2022, The OpenThread Authors.
 #  All rights reserved.
 #
 #  Redistribution and use in source and binary forms, with or without
 #  modification, are permitted provided that the following conditions are met:
 #  1. Redistributions of source code must retain the above copyright
 #     notice, this list of conditions and the following disclaimer.
 #  2. Redistributions in binary form must reproduce the above copyright
 #     notice, this list of conditions and the following disclaimer in the
 #     documentation and/or other materials provided with the distribution.
 #  3. Neither the name of the copyright holder nor the
 #     names of its contributors may be used to endorse or promote products
 #     derived from this software without specific prior written permission.
 #
 #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 #  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 #  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 #  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 #  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 #  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 #  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 #  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 #  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 #  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 #  POSSIBILITY OF SUCH DAMAGE.
 #

 # This workflow uses actions that are not certified by GitHub. They are provided
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.

 name: Scorecards supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '33 12 * * 0'
   push:
     branches: [ "main" ]

 # Declare default permissions as read only.
 permissions: read-all

 jobs:
   analysis:
     name: Scorecards analysis
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
       # Uncomment the permissions below if installing in a private repository.
       # contents: read
       # actions: read

     steps:
       - name: "Checkout code"
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           persist-credentials: false

       - name: "Run analysis"
         uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
         with:
           results_file: results.sarif
           results_format: sarif
           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecards on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
           # repo_token: ${{ secrets.SCORECARD_TOKEN }}

           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
           #   - Allows the repository to include the Scorecard badge.
           #   - See https://github.com/ossf/scorecard-action#publishing-results.
           # For private repositories:
           #   - `publish_results` will always be set to `false`, regardless
           #     of the value entered here.
           publish_results: true

       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5

       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
         uses: github/codeql-action/upload-sarif@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.1.27
         with:
           sarif_file: results.sarif
	#
	# Copyright (c) 2022, The OpenThread Authors.
	# All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions are met:
	# 1. Redistributions of source code must retain the above copyright
	# notice, this list of conditions and the following disclaimer.
	# 2. Redistributions in binary form must reproduce the above copyright
	# notice, this list of conditions and the following disclaimer in the
	# documentation and/or other materials provided with the distribution.
	# 3. Neither the name of the copyright holder nor the
	# names of its contributors may be used to endorse or promote products
	# derived from this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
	# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
	# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	# POSSIBILITY OF SUCH DAMAGE.
	#

	# This workflow uses actions that are not certified by GitHub. They are provided
	# by a third-party and are governed by separate terms of service, privacy
	# policy, and support documentation.

	name: Scorecards supply-chain security
	on:
	# For Branch-Protection check. Only the default branch is supported. See
	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
	branch_protection_rule:
	# To guarantee Maintained check is occasionally updated. See
	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
	schedule:
	- cron: '33 12 * * 0'
	push:
	branches: [ "main" ]

	# Declare default permissions as read only.
	permissions: read-all

	jobs:
	analysis:
	name: Scorecards analysis
	runs-on: ubuntu-latest
	permissions:
	# Needed to upload the results to code-scanning dashboard.
	security-events: write
	# Needed to publish results and get a badge (see publish_results below).
	id-token: write
	# Uncomment the permissions below if installing in a private repository.
	# contents: read
	# actions: read

	steps:
	- name: "Checkout code"
	uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
	with:
	persist-credentials: false

	- name: "Run analysis"
	uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
	with:
	results_file: results.sarif
	results_format: sarif
	# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
	# - you want to enable the Branch-Protection check on a public repository, or
	# - you are installing Scorecards on a private repository
	# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
	# repo_token: ${{ secrets.SCORECARD_TOKEN }}

	# Public repositories:
	# - Publish results to OpenSSF REST API for easy access by consumers
	# - Allows the repository to include the Scorecard badge.
	# - See https://github.com/ossf/scorecard-action#publishing-results.
	# For private repositories:
	# - `publish_results` will always be set to `false`, regardless
	# of the value entered here.
	publish_results: true

	# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
	# format to the repository Actions tab.
	- name: "Upload artifact"
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.0
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 5

	# Upload the results to GitHub's code scanning dashboard.
	- name: "Upload to code-scanning"
	uses: github/codeql-action/upload-sarif@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.1.27
	with:
	sarif_file: results.sarif