samples/.github/workflows/scorecards-analysis.yml

name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  push:
    branches: [ main ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'flutter/samples' }}
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      actions: read
      contents: read
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
        with:
          results_file: results.sarif
          results_format: sarif
          # Read-only PAT token. To create it,
          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories, `publish_results` will automatically be set to `false`,
          # regardless of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional).
      - name: "Upload artifact"
        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a
        with:
          sarif_file: results.sarif
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 2 years ago			`name: Scorecards supply-chain security`
			`on:`
			`# Only the default branch is supported.`
			`branch_protection_rule:`
			`push:`
Fix scorecards default branch. (#1275) 2 years ago			`branches: [ main ]`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 2 years ago
			`# Declare default permissions as read only.`
			`permissions: read-all`

			`jobs:`
			`analysis:`
			`name: Scorecards analysis`
			`runs-on: ubuntu-latest`
			`if: ${{ github.repository == 'flutter/samples' }}`
			`permissions:`
			`# Needed to upload the results to code-scanning dashboard.`
			`security-events: write`
			`actions: read`
			`contents: read`
Manually update scorecard action to v2.0.3 (#1430) 2 years ago			`id-token: write`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 2 years ago
			`steps:`
			`- name: "Checkout code"`
Bump actions/checkout from 4.1.0 to 4.1.1 (#2043) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v4.1.1</h2> <h2>What's Changed</h2> <ul> <li>Update CODEOWNERS to Launch team by <a href="https://github.com/joshmgross"><code>@âjoshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li> <li>Correct link to GitHub Docs by <a href="https://github.com/peterbe"><code>@âpeterbe</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li> <li>Link to release page from what's new section by <a href="https://github.com/cory-miller"><code>@âcory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/joshmgross"><code>@âjoshmgross</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li> <li><a href="https://github.com/peterbe"><code>@âpeterbe</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v4.1.1">https://github.com/actions/checkout/compare/v4...v4.1.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/checkout/commit/b4ffde65f46336ab88eb53be808477a3936bae11"><code>b4ffde6</code></a> Link to release page from what's new section (<a href="https://redirect.github.com/actions/checkout/issues/1514">#1514</a>)</li> <li><a href="https://github.com/actions/checkout/commit/8530928916aaef40f59e6f221989ccb31f5759e7"><code>8530928</code></a> Correct link to GitHub Docs (<a href="https://redirect.github.com/actions/checkout/issues/1511">#1511</a>)</li> <li><a href="https://github.com/actions/checkout/commit/7cdaf2fbc075e6f3b9ca94cfd6cec5adc8a75622"><code>7cdaf2f</code></a> Update CODEOWNERS to Launch team (<a href="https://redirect.github.com/actions/checkout/issues/1510">#1510</a>)</li> <li>See full diff in <a href="https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=4.1.0&new-version=4.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> 10 months ago			`uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 2 years ago			`with:`
			`persist-credentials: false`

			`- name: "Run analysis"`
Bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#2068) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.0 to 2.3.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's releases</a>.</em></p> <blockquote> <h2>v2.3.1</h2> <h2>What's Changed</h2> <ul> <li>:seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by <a href="https://github.com/spencerschrock"><code>@âspencerschrock</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1282">ossf/scorecard-action#1282</a> <ul> <li>Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the <a href="https://github.com/ossf/scorecard/releases/tag/v4.13.1">v4.13.1</a> release notes</li> </ul> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1">https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ossf/scorecard-action/commit/0864cf19026789058feabb7e87baa5f140aac736"><code>0864cf1</code></a> :seedling: Bump docker tag to for v2.3.1 release (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1284">#1284</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/72df3bff668d052aaec251accaffec0b280410fb"><code>72df3bf</code></a> :seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1282">#1282</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/0ea411f94ac145b6fd793458b7f75ebbe7ae0a8f"><code>0ea411f</code></a> :seedling: Bump the docker-images group with 1 update (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1281">#1281</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/dbfd042453ccc43ade96943685dbece2dd86bbae"><code>dbfd042</code></a> :seedling: Bump the github-actions group with 1 update (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1280">#1280</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/2fa1e2fa153141e2950c7e1299ed05e2081ead0c"><code>2fa1e2f</code></a> :seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1278">#1278</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/652ddd06c802ac1ba4021a9f02978dc5150b223e"><code>652ddd0</code></a> :seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1277">#1277</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/28d0c92b8bb9dd266a8cf4dde7bae71c06a0c62f"><code>28d0c92</code></a> :seedling: Group Dependabot updates for GitHub Actions and Dockerfiles (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1276">#1276</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/cb50491a46a858cb57669a16a720b7a00e1f9d29"><code>cb50491</code></a> :seedling: Bump distroless/base from <code>a35b652</code> to <code>b31a6e0</code> (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1275">#1275</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/87157ac77d7ec18a631049bc92fdac7ee63a471a"><code>87157ac</code></a> :seedling: Bump github/codeql-action from 2.21.9 to 2.22.1 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1274">#1274</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/7c1648b23e27a96acf7c3842fd1921d16bd8d4d2"><code>7c1648b</code></a> :seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1273">#1273</a>)</li> <li>Additional commits viewable in <a href="https://github.com/ossf/scorecard-action/compare/483ef80eb98fb506c348f7d62e28055e49fe2398...0864cf19026789058feabb7e87baa5f140aac736">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action&package-manager=github_actions&previous-version=2.3.0&new-version=2.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> 10 months ago			`uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 2 years ago			`with:`
			`results_file: results.sarif`
			`results_format: sarif`
			`# Read-only PAT token. To create it,`
			`# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.`
			`repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}`
			`# Publish the results to enable scorecard badges. For more details, see`
			`# https://github.com/ossf/scorecard-action#publishing-results.`
			# For private repositories, `publish_results` will automatically be set to `false`,
			`# regardless of the value entered here.`
			`publish_results: true`

			`# Upload the results as artifacts (optional).`
			`- name: "Upload artifact"`
Bump actions/upload-artifact from 3.1.3 to 4.0.0 (#2117) 8 months ago			`uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 2 years ago			`with:`
			`name: SARIF file`
			`path: results.sarif`
			`retention-days: 5`

			`# Upload the results to GitHub's code scanning dashboard.`
			`- name: "Upload to code-scanning"`
Bump github/codeql-action from 2.3.6 to 2.13.4 (#1891) 1 year ago			`uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a`
Enable scorecards. (#1054) This will help us assess the security posture of this repository. 2 years ago			`with:`
			`sarif_file: results.sarif`