|
| 1 | +# This workflow uses actions that are not certified by GitHub. |
| 2 | +# They are provided by a third-party and are governed by |
| 3 | +# separate terms of service, privacy policy, and support |
| 4 | +# documentation. |
| 5 | + |
1 | 6 | # This workflow integrates a collection of open source static analysis tools |
2 | 7 | # with GitHub code scanning. For documentation, or to provide feedback, visit |
3 | 8 | # https://github.com/github/ossar-action |
4 | 9 | name: OSSAR |
5 | 10 |
|
6 | 11 | on: |
7 | 12 | push: |
8 | | - branches: |
9 | | - - main |
10 | | - - renovate/** |
| 13 | + branches: [ "main" ] |
11 | 14 | pull_request: |
| 15 | + # The branches below must be a subset of the branches above |
| 16 | + branches: [ "main" ] |
| 17 | + schedule: |
| 18 | + - cron: '42 15 * * 2' |
| 19 | + |
| 20 | +permissions: |
| 21 | + contents: read |
12 | 22 |
|
13 | 23 | jobs: |
14 | 24 | OSSAR-Scan: |
15 | 25 | # OSSAR runs on windows-latest. |
16 | 26 | # ubuntu-latest and macos-latest support coming soon |
| 27 | + permissions: |
| 28 | + contents: read # for actions/checkout to fetch code |
| 29 | + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
| 30 | + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
17 | 31 | runs-on: windows-latest |
18 | | - if: "!startsWith(github.head_ref, 'renovate/')" |
19 | 32 |
|
20 | 33 | steps: |
21 | | - # Checkout your code repository to scan |
22 | 34 | - name: Checkout repository |
23 | | - uses: actions/checkout@v6 |
24 | | - with: |
25 | | - # We must fetch at least the immediate parents so that if this is |
26 | | - # a pull request then we can checkout the head. |
27 | | - fetch-depth: 2 |
28 | | - |
29 | | - # If this run was triggered by a pull request event, then checkout |
30 | | - # the head of the pull request instead of the merge commit. |
31 | | - - run: git checkout HEAD^2 |
32 | | - if: ${{ github.event_name == 'pull_request' }} |
33 | | - |
34 | | - # Ensure a compatible version of dotnet is installed. |
35 | | - # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. |
36 | | - # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. |
37 | | - # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. |
38 | | - # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: |
39 | | - # - name: Install .NET |
40 | | - # uses: actions/setup-dotnet@v1 |
41 | | - # with: |
42 | | - # dotnet-version: '3.1.x' |
| 35 | + uses: actions/checkout@v4 |
43 | 36 |
|
44 | 37 | # Run open source static analysis tools |
45 | 38 | - name: Run OSSAR |
|
48 | 41 |
|
49 | 42 | # Upload results to the Security tab |
50 | 43 | - name: Upload OSSAR results |
51 | | - uses: github/codeql-action/upload-sarif@v4 |
| 44 | + uses: github/codeql-action/upload-sarif@v3 |
52 | 45 | with: |
53 | 46 | sarif_file: ${{ steps.ossar.outputs.sarifFile }} |
0 commit comments