quantumlib
diff --git a/‎.github/workflows/ossf-scorecard.yaml‎
Lines changed: 0 additions & 72 deletions b/‎.github/workflows/ossf-scorecard.yaml‎
Lines changed: 0 additions & 72 deletions
diff --git a/‎.github/workflows/scorecard-scanner.yaml‎
Lines changed: 109 additions & 0 deletions b/‎.github/workflows/scorecard-scanner.yaml‎
Lines changed: 109 additions & 0 deletions
@@ -0,0 +1,109 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Summary: run the OSSF Scorecard scanner on PRs and every night.
+#
+# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool
+# that evaluates a project's security practices. Its use is suggested by
+# Google's GitHub team. Scorecard's findings are reported in a repo's scanning
+# results page, https://github.com/quantumlib/REPO/security/code-scanning/.
+
+name: Scorecard analysis
+run-name: Run Scorecard scanner for security best practices
+
+on:
+  schedule:
+    # Run weekly on Saturdays.
+    - cron:  '30 9 * * 6'
+
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - master
+
+  # Support merge queues.
+  merge_group:
+    types:
+      - checks_requested
+
+  # Allow manual invocation.
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Run with debugging options'
+        type: boolean
+        default: true
+
+# Declare default workflow permissions as read only.
+permissions: read-all
+
+concurrency:
+  # Cancel any previously-started but still active runs on the same branch.
+  cancel-in-progress: true
+  group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
+
+jobs:
+  run-scorecard:
+    if: github.repository_owner == 'quantumlib'
+    name: Scorecard analyzer
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+      id-token: write
+    timeout-minutes: 15
+    steps:
+      - name: Check out a copy of the git repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard analysis
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          # Save the results
+          results_file: scorecard-results.sarif
+          results_format: sarif
+          # See https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
+
+      - name: Upload results to code-scanning dashboard
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        with:
+          sarif_file: scorecard-results.sarif
+
+      - if: github.event.inputs.debug == true
+        name: Upload results as artifacts to the workflow Summary page
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: Scorecard SARIF file
+          path: scorecard-results.sarif
+          retention-days: 5
+
+  # Scorecard currently (ver. 2.4.x) doesn't allow submissions from jobs having
+  # steps that use "run:". To print to the summary, we need to use another job.
+  write-summary:
+    name: Scorecard results
+    needs: run-scorecard
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Write the Scorecard report page link to the workflow summary
+        run: |
+          repo="${{github.repository}}"
+          url="https://scorecard.dev/viewer/?uri=github.com%2F${repo//\//%2F}"
+          {
+          echo -n "The results are available on the OpenSSF Scorecard "
+          echo "[report page for ${{github.repository}}]($url)."
+          } >> "$GITHUB_STEP_SUMMARY"