Add Scorecard Action

[diogoteles08]

Closes #69736

[llvmbot]

@llvm/pr-subscribers-github-workflow

Author: Diogo Teles Sant'Anna (diogoteles08)

Changes

Closes #69736

---

Full diff: https://github.com/llvm/llvm-project/pull/69933.diff

1 Files Affected:

• (added) .github/workflows/scorecard.yml (+61)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
new file mode 100644
index 000000000000000..145e36febfd760c
--- /dev/null
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '38 20 * * 4'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write      
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.      
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif

[diogoteles08]

@tstellar Sorry, I think I can't add you as reviewer ><
But pinging you here with the same goal =)

[tstellar]

LGTM.

[tstellar]

Could add a comment with a link for where to view the results?

[diogoteles08]

Of course!

Additionally, we also have a Scorecard badge that you can make more easily accessible in your README. I'd also happy to add this if you agree.

[tstellar]

@diogoteles08 Sure I think we can add that.

[diogoteles08]

Done!

[tstellar]

I just noticed that this runs for every push. I think it's causing us to go over the API limits, so I'm going to drop this part of the patch. What's the downsides of not running it for every push.

[diogoteles08]

Hi! Sorry for the late reply.
Totally understand the problems with API limits, we're facing them as well haha
The downside would be mostly not having Scorecard always up to date with the code on main, but that shouldn't be a huge problem considering we've already scheduled a cronjob to run it periodically. As it is now, we're running it "At 20:38 on every Thursday", which should already be fine. If you think it wouldn't hurt your API limits, we could change it to run it daily, on a period that the API is least used, and it would be even smoother.

[tstellar]

Ok, I switched the job to run once per day in 67a53ae.