mirror of
https://github.com/jj-vcs/jj.git
synced 2026-07-08 18:13:08 +08:00
Bumps the github-dependencies group with 4 updates: [actions/checkout](https://github.com/actions/checkout), [taiki-e/install-action](https://github.com/taiki-e/install-action), [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](1af3b93b68...8e8c483db8) Updates `taiki-e/install-action` from 2.62.60 to 2.62.63 - [Release notes](https://github.com/taiki-e/install-action/releases) - [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md) - [Commits](3575e53270...50708e9ba8) Updates `astral-sh/setup-uv` from 7.1.4 to 7.1.5 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](1e862dfacb...ed21f2f24f) Updates `github/codeql-action` from 4.31.6 to 4.31.7 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](fe4161a26a...cf1bb45a27) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-dependencies - dependency-name: taiki-e/install-action dependency-version: 2.62.63 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-dependencies - dependency-name: astral-sh/setup-uv dependency-version: 7.1.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-dependencies - dependency-name: github/codeql-action dependency-version: 4.31.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
52 lines
1.6 KiB
YAML
52 lines
1.6 KiB
YAML
name: Scorecards supply-chain security
|
|
on:
|
|
# Only the default branch is supported.
|
|
branch_protection_rule:
|
|
schedule:
|
|
- cron: '17 3 * * 1'
|
|
push:
|
|
branches: [ main ]
|
|
|
|
# No default permissions
|
|
permissions: {}
|
|
|
|
jobs:
|
|
analysis:
|
|
name: Scorecards analysis
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
# Needed to upload the results to code-scanning dashboard.
|
|
security-events: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: "Checkout code"
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: "Run analysis"
|
|
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
|
|
with:
|
|
results_file: results.sarif
|
|
results_format: sarif
|
|
# Publish the results to enable scorecard badges. For more details, see
|
|
# https://github.com/ossf/scorecard-action#publishing-results.
|
|
# For private repositories, `publish_results` will automatically be set to `false`,
|
|
# regardless of the value entered here.
|
|
publish_results: true
|
|
|
|
# Upload the results as artifacts (optional).
|
|
- name: "Upload artifact"
|
|
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
|
|
with:
|
|
name: SARIF file
|
|
path: results.sarif
|
|
retention-days: 5
|
|
|
|
# Upload the results to GitHub's code scanning dashboard.
|
|
- name: "Upload to code-scanning"
|
|
uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412
|
|
with:
|
|
sarif_file: results.sarif
|