ci: add openssf scorecard analysis workflow

Fixes: #67
afuetterer · Oct 25, 2023 · 24b9f1c · 24b9f1c
1 parent 204b7a9
commit 24b9f1c
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -0,0 +1,44 @@
+# This CI job is adapted from:
+# Scorecards' GitHub action (2013-09-12), Apache License 2.0
+# Ref: https://github.com/ossf/scorecard-action/blob/8d9d91b01b9389de406141fb47b98726a399e1ea/README.md?plain=1#L198
+
+name: Scorecard analysis
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    # run once a month at midnight of the first day of the month
+  - cron: 0 0 1 * *
+  push:
+    branches: [main]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        persist-credentials: false
+    # Ref: https://github.com/ossf/scorecard-action
+    - name: Run scorecard analysis
+      uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af   # v2.1.3
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Ref: https://github.com/ossf/scorecard-action#publishing-results.
+        publish_results: true
+
+      # # required for Code scanning alerts
+      # - name: "Upload SARIF results to code scanning"
+      #   uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
+      #   with:
+      #     sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ This is a community maintained fork of the original [sickle](https://github.com/
 | --- | --- |
 | CI | [![ci][ci-badge]][ci-workflow] [![coverage][coverage-badge]][ci-workflow] |
 | Docs | [![docs][docs-badge]][docs-workflow] |
-| Meta | [![hatch][hatch-badge]][hatch] [![pre-commit enabled][pre-commit-badge]][pre-commit] [![ruff][ruff-badge]][ruff] |
+| Meta | [![OpenSSF Scorecard][scorecard-badge]][scorecard-url] [![hatch][hatch-badge]][hatch] [![pre-commit enabled][pre-commit-badge]][pre-commit] [![ruff][ruff-badge]][ruff] |
 
 oaipmh-scythe is a lightweight [OAI-PMH](http://www.openarchives.org/OAI/openarchivesprotocol.html)
 client library written in Python. It has been designed for conveniently retrieving data from OAI interfaces the Pythonic way:
@@ -57,6 +57,8 @@ oaipmh-scythe is distributed under the terms of the [BSD](https://spdx.org/licen
 [docs-url]: https://afuetterer.github.io/oaipmh-scythe
 [docs-workflow]: https://github.com/afuetterer/oaipmh-scythe/actions/workflows/docs.yml
 [docs-badge]: https://github.com/afuetterer/oaipmh-scythe/actions/workflows/docs.yml/badge.svg
+[scorecard-url]: https://securityscorecards.dev/viewer/?uri=github.com/afuetterer/oaipmh-scythe
+[scorecard-badge]: https://api.securityscorecards.dev/projects/github.com/afuetterer/oaipmh-scythe/badge
 <!-- static -->
 [license]: https://opensource.org/licenses/MIT
 [hatch]: https://github.com/pypa/hatch