gh-99668: add OpenSSF Scorecard GitHub Action and badge

alex-semenyuk · alex-semenyuk · commit 0354575110d0 · 2025-02-23T23:08:49.000+05:00
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '24 7 * * 4'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/Misc/NEWS.d/next/Security/2025-02-23-22-30-01.gh-issue-99668.KlKXwO.rst b/Misc/NEWS.d/next/Security/2025-02-23-22-30-01.gh-issue-99668.KlKXwO.rst
@@ -0,0 +1,3 @@
+Add OpenSSF Scorecard GitHub Action which performs dozens of automated
+checks to ensure the project's security posture is solid and badge which
+shows OpenSSF Scorecard score.
diff --git a/README.rst b/README.rst
@@ -9,6 +9,10 @@ This is Python version 3.14.0 alpha 5
    :alt: CPython build status on Azure DevOps
    :target: https://dev.azure.com/python/cpython/_build/latest?definitionId=4&branchName=main
 
+.. image:: https://api.scorecard.dev/projects/github.com/python/cpython/badge
+   :alt: OpenSSF Scorecard
+   :target: https://scorecard.dev/viewer/?uri=github.com/python/cpython
+
 .. image:: https://img.shields.io/badge/discourse-join_chat-brightgreen.svg
    :alt: Python Discourse chat
    :target: https://discuss.python.org/

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Add OpenSSF Scorecard GitHub Action which performs dozens of automated`
	`2`	`+checks to ensure the project's security posture is solid and badge which`
	`3`	`+shows OpenSSF Scorecard score.`