Skip to content

Commit

Permalink
Complete the list of required actions (#1044)
Browse files Browse the repository at this point in the history
Signed-off-by: Rob Bos <rajbos@users.noreply.github.com>

Signed-off-by: Rob Bos <rajbos@users.noreply.github.com>
  • Loading branch information
rajbos authored Dec 16, 2022
1 parent be62ea8 commit 813a825
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,11 @@ Starting from scorecard-action:v2, `GITHUB_TOKEN` permissions or job permissions
`id-token: write` for `publish_results: true`. This is needed to access GitHub's
OIDC token which verifies the authenticity of the result when publishing it.

scorecard-action:v2 has a new requirement for the job running the ossf/scorecard-action step. The step running this job must belong to this approved list of GitHub actions:
scorecard-action:v2 has a new requirement for the job running the ossf/scorecard-action step. The steps running in this job must belong to this approved list of GitHub actions:
- "actions/checkout"
- "actions/upload-artifact"
- "github/codeql-action/upload-sarif"
- "ossf/scorecard-action"

If you are using custom steps in the job, it may fail.
We understand that this is restrictive, but currently it's necessary to ensure the integrity of the results that we publish, since GitHub workflow steps run in the same environment as the job they belong to.
Expand Down

0 comments on commit 813a825

Please sign in to comment.