scorecard.yaml

# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '30 1 * * 6'
  push:
    branches: ["main"]

# Declare default permissions as read only.
permissions: read-all

jobs:
  validate:
    permissions:
      actions: read
      attestations: read
      checks: read
      contents: read
      deployments: read
      discussions: read
      issues: read
      packages: read
      pages: read
      pull-requests: read
      repository-projects: read
      statuses: read
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Used to receive a badge.
      id-token: write
    uses: defenseunicorns/uds-common/.github/workflows/callable-scorecard.yaml@c52077c870a576d01f169f96d74d1b393c6488ba # v1.1.2
    secrets: inherit