From 1bb0ea82f32b73befdde8a4160b311d50d94d9c4 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 30 May 2026 18:10:18 +0100 Subject: [PATCH] ci(scorecard-enforcer): split score-threshold from publish job Replace local copy with the post-#304 standards template. The pre-fix shape has the OSSF publish contract violation: webapp: scorecard job must only have steps with uses Post-fix shape: - `scorecard` job: uses-only (now includes upload-artifact for SARIF hand-off) - `check-score` job: `needs: scorecard`, downloads artifact, runs threshold gate Caught 49 estate repos on the 2026-05-30 audit. Detector: hypatia rule WF014. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/scorecard-enforcer.yml | 48 +++++++++++++++++++++--- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index c0fe267..75e2385 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -9,34 +9,70 @@ on: - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: -permissions: read-all +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read jobs: + # The OSSF Scorecard publish endpoint enforces a hard contract: the job that + # runs `ossf/scorecard-action` with `publish_results: true` must contain + # ONLY steps with `uses:` (no `run:` steps in the same job). If a `run:` + # step is present, the publish step fails with: + # "webapp: scorecard job must only have steps with uses" + # (49 estate repos hit this; see ROADMAP audit 2026-05-30.) + # + # Fix: split the threshold check into a downstream job that depends on + # `scorecard` and consumes the SARIF artifact. The `scorecard` job stays + # uses-only; `check-score` is the gating job that emits the error. scorecard: runs-on: ubuntu-latest permissions: security-events: write id-token: write # For OIDC steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run Scorecard - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3 + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4 with: sarif_file: results.sarif + - name: Persist SARIF for downstream score-gate job + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: scorecard-results + path: results.sarif + retention-days: 1 + + check-score: + needs: scorecard + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Download SARIF from scorecard job + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5.0.0 + with: + name: scorecard-results + - name: Check minimum score run: | - # Parse score from results SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0") echo "OpenSSF Scorecard Score: $SCORE" @@ -53,7 +89,7 @@ jobs: check-critical: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check SECURITY.md exists run: |