workflows: fix up OpenSSF Scorecard workflow (#7631)

* workflows: fix up OpenSSF Scorecard workflow Signed-off-by: Patrick Stephens <pat@calyptia.com> * workflows: add optional PAT Signed-off-by: Patrick Stephens <pat@calyptia.com> --------- Signed-off-by: Patrick Stephens <pat@calyptia.com>
fluent · Jun 30, 2023 · be8a701 · be8a701
1 parent b266d46
commit be8a701
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/.github/workflows/cron-scorecards-analysis.yaml b/.github/workflows/cron-scorecards-analysis.yaml
@@ -20,9 +20,8 @@ jobs:
  permissions:
  # Needed to upload the results to code-scanning dashboard.
  security-events: write
- actions: read
- contents: read
-
+ # Needed for GitHub OIDC token if publish_results is true
+ id-token: write
  steps:
  - name: "Checkout code"
  uses: actions/checkout@v3
@@ -34,9 +33,11 @@ jobs:
  with:
  results_file: scorecard-results.sarif
  results_format: sarif
- # Read-only PAT token. To create it,
- # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
- repo_token: ${{ secrets.SCORECARD_READ_TOKEN || github.token }}
+ # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
+ repo_token: ${{ secrets.SCORECARD_TOKEN }}
+ #
  # Publish the results for public repositories to enable scorecard badges. For more details, see
  # https://github.com/ossf/scorecard-action#publishing-results.
  # For private repositories, `publish_results` will automatically be set to `false`, regardless