Skip to content

fix(ci): keep scorecard-action jobs uses-only (split compute-score from gate) #371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 1 commit into from
Jun 4, 2026
Merged

fix(ci): keep scorecard-action jobs uses-only (split compute-score from gate) #371

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 29 additions & 7 deletions .github/workflows/scorecard-enforcer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,16 @@ jobs:
with:
sarif_file: results.sarif

# Gate on the aggregate score. The score is NOT present in the SARIF output
# (the previous `jq '.runs[0].tool.driver.properties.score'` always returned
# null → 0 → this gate failed on every push regardless of the real posture).
# The aggregate score only exists in scorecard's JSON output, so run the
# action here with `results_format: json` (and `publish_results: false`, so
# this job needs no OIDC/id-token) and read `.score`.
check-score:
# Compute the aggregate score in its OWN uses-only job. The score is NOT in
# the SARIF output (`jq '.runs[0].tool.driver.properties.score'` always
# returned null → 0 → this gate failed on every push regardless of the real
# posture); it only exists in scorecard's JSON output. scorecard-action and a
# `run:` step must never share a job (OSSF publish contract — see #304, and
# hypatia `scorecard_publish_with_run_step`), so this job stays uses-only and
# hands the JSON to check-score via an artifact. `publish_results: false`
# means this run neither publishes nor needs OIDC (the `scorecard` job above
# owns publishing).
compute-score:
timeout-minutes: 20
needs: scorecard
runs-on: ubuntu-latest
Expand All @@ -78,6 +81,25 @@ jobs:
results_format: json
publish_results: false

- name: Persist score JSON for the gate job
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: scorecard-score-json
path: results.json
retention-days: 1

check-score:
timeout-minutes: 10
needs: compute-score
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Download score JSON
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5.0.0
with:
name: scorecard-score-json

- name: Check minimum score
run: |
SCORE=$(jq -r '.score // 0' results.json 2>/dev/null || echo "0")
Expand Down
Loading