From b7ef45cf36328b77bf5fb702269b9581939f95d7 Mon Sep 17 00:00:00 2001 From: Nick Wilson Date: Fri, 6 Dec 2024 17:41:12 +0000 Subject: [PATCH] Update scorecard-V2 PAT, and tweak workflow triggers --- .github/workflows/build.yml | 7 ++++++- .github/workflows/cifuzz.yml | 5 ++++- .github/workflows/clang-analyzer.yml | 7 ++++++- .github/workflows/codeql.yml | 2 +- .github/workflows/dev.yml | 7 ++++++- .github/workflows/scorecards.yml | 10 +++++----- 6 files changed, 28 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8d71cdaae..35f959c5b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,10 @@ name: Build -on: [push, pull_request] +on: + workflow_dispatch: + push: + branches: [ master, "release/**" ] + pull_request: + branches: [ master ] permissions: contents: read diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 805fa3c0c..919ef0d7d 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,5 +1,8 @@ name: CIFuzz -on: [pull_request] +on: + workflow_dispatch: + pull_request: + branches: [ master ] permissions: contents: read diff --git a/.github/workflows/clang-analyzer.yml b/.github/workflows/clang-analyzer.yml index 55128ea1d..d6b3da6a7 100644 --- a/.github/workflows/clang-analyzer.yml +++ b/.github/workflows/clang-analyzer.yml @@ -1,5 +1,10 @@ name: Clang Static Analyzer -on: [push, pull_request] +on: + workflow_dispatch: + push: + branches: [ master, "release/**" ] + pull_request: + branches: [ master ] permissions: contents: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 190e9c230..90403a55c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,7 +13,7 @@ name: "CodeQL" on: push: - branches: [ master ] + branches: [ master, "release/**" ] pull_request: # The branches below must be a subset of the branches above branches: [ master ] diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 0f064d0ca..113a720a4 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -1,5 +1,10 @@ name: Dev -on: [push, pull_request] +on: + workflow_dispatch: + push: + branches: [ master, "release/**" ] + pull_request: + branches: [ master ] permissions: contents: read diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 690dbd323..aff4d19ca 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,5 +1,6 @@ name: Scorecards supply-chain security on: + workflow_dispatch: # Only the default branch is supported. branch_protection_rule: schedule: @@ -7,8 +8,7 @@ on: push: branches: [ master ] -permissions: - contents: read +permissions: read-all jobs: analysis: @@ -18,6 +18,8 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + # Needed to publish the results to Scorecard's service. + id-token: write actions: read contents: read @@ -33,9 +35,7 @@ jobs: with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # repo_token: ${{ secrets.GITHUB_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. # For private repositories, `publish_results` will automatically be set to `false`,