Update GHA for OpenSSF score analysis (#75)

gab-arrobo · web-flow · commit 53d4a4132109 · 2025-12-09T15:17:26.000-08:00
* Update GHA for OpenSSF score analysis

Signed-off-by: Arrobo, Gabriel &lt;gabriel.arrobo@intel.com&gt;

* Address Copilot's comment

Signed-off-by: Arrobo, Gabriel &lt;gabriel.arrobo@intel.com&gt;

---------

Signed-off-by: Arrobo, Gabriel &lt;gabriel.arrobo@intel.com&gt;
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -10,18 +10,47 @@ on:
         required: false
         type: string
         default: ${{ github.ref }}
+      publish_results:
+        description: "Whether to publish results for badge generation"
+        required: false
+        type: boolean
+        default: true
+      retention_days:
+        description: "Days to retain SARIF artifact"
+        required: false
+        type: number
+        default: 5
+      allowed_orgs:
+        description: "Comma-separated list of allowed repository owners"
+        required: false
+        type: string
+        default: "omec-project"
 
 permissions: read-all
 
 jobs:
   score-analysis:
     runs-on: ubuntu-latest
-    if: github.repository_owner == 'omec-project'
+    if: contains(fromJSON(format('["{0}"]', join('","', split(inputs.allowed_orgs, ',')))), github.repository_owner)
     permissions:
+      # Needed to upload the results to code-scanning dashboard.
       security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
       id-token: write
+      contents: read
+      actions: read
+      # To allow GraphQL ListCommits to work
+      issues: read
+      pull-requests: read
+      # To detect SAST tools
+      checks: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2.13.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
         with:
           ref: ${{ inputs.branch_name }}
@@ -32,17 +61,16 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          publish_results: true
+          publish_results: ${{ inputs.publish_results }}
 
       - name: Upload artifact
         uses: actions/upload-artifact@v5.0.0
         with:
           name: SARIF file
           path: results.sarif
-          retention-days: 5
+          retention-days: ${{ inputs.retention_days }}
 
-      # Disabling upload to code-scanning
-      # - name: Upload to code-scanning
-      #   uses: github/codeql-action/upload-sarif@v3
-      #   with:
-      #     sarif_file: results.sarif
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.0.2-dev
+0.0.2
