From 87971a702678e519b2a8f9a89753aa48b9d8ba1a Mon Sep 17 00:00:00 2001
From: Sebastian Schuberth <sebastian@doubleopen.org>
Date: Thu, 11 Jul 2024 08:33:30 +0200
Subject: [PATCH] ci(github): Run OpenSSF Scorecard analysis

Note that the `scorecard-action` does not currently offer conventional
major-version-only tags, so the concrete version needs to be hard-coded.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
---
 .github/workflows/static-analysis.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index c76a98d65eba..253a836d3049 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -114,3 +114,25 @@ jobs:
       run: |
         pip install --user reuse
         ~/.local/bin/reuse lint
+  scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for SARIF scanning upload.
+      security-events: write
+      # Needed for GitHub OIDC token if `publish_results` is true.
+      id-token: write
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Run Analysis
+      uses: ossf/scorecard-action@v2.3.3
+      with:
+        results_file: ossf-results.sarif
+        results_format: sarif
+        publish_results: true
+    - name: Upload Code Scanning Results
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ossf-results.sarif