samples/.github/workflows/scorecards-analysis.yml

name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  push:
    branches: [ main ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'flutter/samples' }}
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      actions: read
      contents: read
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af
        with:
          results_file: results.sarif
          results_format: sarif
          # Read-only PAT token. To create it,
          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories, `publish_results` will automatically be set to `false`,
          # regardless of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional).
      - name: "Upload artifact"
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db
        with:
          sarif_file: results.sarif
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 3 years ago			`name: Scorecards supply-chain security`
			`on:`
			`# Only the default branch is supported.`
			`branch_protection_rule:`
			`push:`
Fix scorecards default branch. (#1275) 2 years ago			`branches: [ main ]`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 3 years ago
			`# Declare default permissions as read only.`
			`permissions: read-all`

			`jobs:`
			`analysis:`
			`name: Scorecards analysis`
			`runs-on: ubuntu-latest`
			`if: ${{ github.repository == 'flutter/samples' }}`
			`permissions:`
			`# Needed to upload the results to code-scanning dashboard.`
			`security-events: write`
			`actions: read`
			`contents: read`
Manually update scorecard action to v2.0.3 (#1430) 2 years ago			`id-token: write`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 3 years ago
			`steps:`
			`- name: "Checkout code"`
Bump actions/checkout from 3.5.1 to 3.5.2 (#1737) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.1 to 3.5.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v3.5.2</h2> <h2>What's Changed</h2> <ul> <li>Fix: Use correct API url / endpoint in GHES by <a href="https://github.com/fhammerl"><code>@fhammerl</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1289">actions/checkout#1289</a> based on <a href="https://redirect.github.com/actions/checkout/issues/1286">#1286</a> by <a href="https://github.com/1newsr"><code>@1newsr</code></a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v3.5.1...v3.5.2">https://github.com/actions/checkout/compare/v3.5.1...v3.5.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v3.5.2</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/1289">Fix api endpoint for GHES</a></li> </ul> <h2>v3.5.1</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/1246">Fix slow checkout on Windows</a></li> </ul> <h2>v3.5.0</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/1237">Add new public key for known_hosts</a></li> </ul> <h2>v3.4.0</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/1209">Upgrade codeql actions to v2</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/1210">Upgrade dependencies</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/1225">Upgrade <code>@actions/io</code></a></li> </ul> <h2>v3.3.0</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/1045">Implement branch list using callbacks from exec function</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/1050">Add in explicit reference to private checkout options</a></li> <li>[Fix comment typos (that got added in <a href="https://redirect.github.com/actions/checkout/issues/770">#770</a>)](<a href="https://redirect.github.com/actions/checkout/pull/1057">actions/checkout#1057</a>)</li> </ul> <h2>v3.2.0</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/942">Add GitHub Action to perform release</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/967">Fix status badge</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/1002">Replace datadog/squid with ubuntu/squid Docker image</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/964">Wrap pipeline commands for submoduleForeach in quotes</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/1029">Update <code>@actions/io</code> to 1.1.2</a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/1039">Upgrading version to 3.2.0</a></li> </ul> <h2>v3.1.0</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/939">Use <code>@actions/core</code> <code>saveState</code> and <code>getState</code></a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/922">Add <code>github-server-url</code> input</a></li> </ul> <h2>v3.0.2</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/770">Add input <code>set-safe-directory</code></a></li> </ul> <h2>v3.0.1</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/762">Fixed an issue where checkout failed to run in container jobs due to the new git setting <code>safe.directory</code></a></li> <li><a href="https://redirect.github.com/actions/checkout/pull/744">Bumped various npm package versions</a></li> </ul> <h2>v3.0.0</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/689">Update to node 16</a></li> </ul> <h2>v2.3.1</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/284">Fix default branch resolution for .wiki and when using SSH</a></li> </ul> <h2>v2.3.0</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab"><code>8e5e7e5</code></a> Release v3.5.2 (<a href="https://redirect.github.com/actions/checkout/issues/1291">#1291</a>)</li> <li><a href="https://github.com/actions/checkout/commit/eb35239ec22e9029a5be28f8c41e67452f615f0f"><code>eb35239</code></a> Fix: convert baseUrl to serverApiUrl 'formatted' (<a href="https://redirect.github.com/actions/checkout/issues/1289">#1289</a>)</li> <li>See full diff in <a href="https://github.com/actions/checkout/compare/83b7061638ee4956cf7545a6f7efe594e5ad0247...8e5e7e5ab8b370d6c329ec480221332ada57f0ab">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=3.5.1&new-version=3.5.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 1 year ago			`uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 3 years ago			`with:`
			`persist-credentials: false`

			`- name: "Run analysis"`
Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#1716) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/e38b1902ae4f44df626f11ba0734b14fb91f8f86...80e868c13c90f172d68d1f4501dee99e2479f7af) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2 years ago			`uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 3 years ago			`with:`
			`results_file: results.sarif`
			`results_format: sarif`
			`# Read-only PAT token. To create it,`
			`# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.`
			`repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}`
			`# Publish the results to enable scorecard badges. For more details, see`
			`# https://github.com/ossf/scorecard-action#publishing-results.`
			# For private repositories, `publish_results` will automatically be set to `false`,
			`# regardless of the value entered here.`
			`publish_results: true`

			`# Upload the results as artifacts (optional).`
			`- name: "Upload artifact"`
Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#1552) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.1 to 3.1.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/83fd05a356d7e2593de66fc9913b3002723633cb...0b7f8abb1508181956e8e162db84b466c27e18ce) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2 years ago			`uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 3 years ago			`with:`
			`name: SARIF file`
			`path: results.sarif`
			`retention-days: 5`

			`# Upload the results to GitHub's code scanning dashboard.`
			`- name: "Upload to code-scanning"`
Bump github/codeql-action from 2.2.11 to 2.2.12 (#1738) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.11 to 2.2.12. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>2.2.12 - 13 Apr 2023</h2> <ul> <li>Include the value of the <code>GITHUB_RUN_ATTEMPT</code> environment variable in the telemetry sent to GitHub. <a href="https://redirect.github.com/github/codeql-action/pull/1640">#1640</a></li> <li>Improve the ease of debugging failed runs configured using <a href="https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically">default setup</a>. The CodeQL Action will now upload diagnostic information to Code Scanning from failed runs configured using default setup. You can view this diagnostic information on the <a href="https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page">tool status page</a>. <a href="https://redirect.github.com/github/codeql-action/pull/1619">#1619</a></li> </ul> <h2>2.2.11 - 06 Apr 2023</h2> <p>No user facing changes.</p> <h2>2.2.10 - 05 Apr 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.6. <a href="https://redirect.github.com/github/codeql-action/pull/1629">#1629</a></li> </ul> <h2>2.2.9 - 27 Mar 2023</h2> <ul> <li>Customers post-processing the SARIF output of the <code>analyze</code> Action before uploading it to Code Scanning will benefit from an improved debugging experience. <a href="https://redirect.github.com/github/codeql-action/pull/1598">#1598</a> <ul> <li>The CodeQL Action will now upload a SARIF file with debugging information to Code Scanning on failed runs for customers using <code>upload: false</code>. Previously, this was only available for customers using the default value of the <code>upload</code> input.</li> <li>The <code>upload</code> input to the <code>analyze</code> Action now accepts the following values: <ul> <li><code>always</code> is the default value, which uploads the SARIF file to Code Scanning for successful and failed runs.</li> <li><code>failure-only</code> is recommended for customers post-processing the SARIF file before uploading it to Code Scanning. This option uploads debugging information to Code Scanning for failed runs to improve the debugging experience.</li> <li><code>never</code> avoids uploading the SARIF file to Code Scanning even if the code scanning run fails. This is not recommended for external users since it complicates debugging.</li> <li>The legacy <code>true</code> and <code>false</code> options will be interpreted as <code>always</code> and <code>failure-only</code> respectively.</li> </ul> </li> </ul> </li> </ul> <h2>2.2.8 - 22 Mar 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.5. <a href="https://redirect.github.com/github/codeql-action/pull/1585">#1585</a></li> </ul> <h2>2.2.7 - 15 Mar 2023</h2> <p>No user facing changes.</p> <h2>2.2.6 - 10 Mar 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.4. <a href="https://redirect.github.com/github/codeql-action/pull/1561">#1561</a></li> </ul> <h2>2.2.5 - 24 Feb 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.3. <a href="https://redirect.github.com/github/codeql-action/pull/1543">#1543</a></li> </ul> <h2>2.2.4 - 10 Feb 2023</h2> <p>No user facing changes.</p> <h2>2.2.3 - 08 Feb 2023</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/7df0ce34898d659f95c0c4a09eaa8d4e32ee64db"><code>7df0ce3</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1646">#1646</a> from github/update-v2.2.12-d944b3423</li> <li><a href="https://github.com/github/codeql-action/commit/fbedecac345b827920c17b4b3488704f4f5bf0b8"><code>fbedeca</code></a> Update changelog for v2.2.12</li> <li><a href="https://github.com/github/codeql-action/commit/d944b3423d194ae3a11d1d7291ab2f38eb94207a"><code>d944b34</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1619">#1619</a> from github/henrymercer/default-setup-workflow</li> <li><a href="https://github.com/github/codeql-action/commit/e3210d8ce3ab70ba62248e01804f8ace92086dc3"><code>e3210d8</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/599f4927f24ee8729768e58d8ba4c60b93bc1833"><code>599f492</code></a> Allow passing the workflow via an environment variable</li> <li><a href="https://github.com/github/codeql-action/commit/ed6c4995fcfc90fa1e870bf955dd15e010cf71e8"><code>ed6c499</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1645">#1645</a> from github/henrymercer/remove-dependencies</li> <li><a href="https://github.com/github/codeql-action/commit/c2b5d643fdc41c9b28b4930ec55e93dbedf6636d"><code>c2b5d64</code></a> Require xml2js <code>>=0.5.0</code> to address CVE-2023-0842</li> <li><a href="https://github.com/github/codeql-action/commit/9c13316a15486574cee9cd715fe1892201680a31"><code>9c13316</code></a> Remove unused dependencies</li> <li><a href="https://github.com/github/codeql-action/commit/98f7bbd6102f2c11acb5631e38386a1837dca5a5"><code>98f7bbd</code></a> Add <code>workflow_run_attempt</code> data to status report (<a href="https://redirect.github.com/github/codeql-action/issues/1640">#1640</a>)</li> <li><a href="https://github.com/github/codeql-action/commit/d7b9dcdb855b6df190af13376d458258d9dff7ef"><code>d7b9dcd</code></a> Bump peter-evans/create-pull-request from 4.2.4 to 5.0.0 (<a href="https://redirect.github.com/github/codeql-action/issues/1643">#1643</a>)</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/d186a2a36cc67bfa1b860e6170d37fb9634742c7...7df0ce34898d659f95c0c4a09eaa8d4e32ee64db">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2.2.11&new-version=2.2.12)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 1 year ago			`uses: github/codeql-action/upload-sarif@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 3 years ago			`with:`
			`sarif_file: results.sarif`