From 33378199db9892566ccd5988ac1070d75cdf2ac8 Mon Sep 17 00:00:00 2001
From: Gabriela Gutierrez <gabigutierrez@google.com>
Date: Wed, 10 Jan 2024 01:03:13 -0300
Subject: [PATCH] Add scorecard analysis tool (#103)

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---
 .github/scorecard.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/scorecard.yml

diff --git a/.github/scorecard.yml b/.github/scorecard.yml
new file mode 100644
index 0000000..b3bf728
--- /dev/null
+++ b/.github/scorecard.yml
@@ -0,0 +1,31 @@
+name: Scorecard supply-chain security
+on:
+  # (Optional) For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  # branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '32 18 * * 0'
+  push:
+    branches: ["main"]
+
+# Declare default permissions as none.
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+    uses: sigstore/community/.github/workflows/reusable-scorecard.yml@d0c95c8803672313d0bf72e1a44021be5b583c24 # main
+    # (Optional) Disable publish results:
+    # with:
+    #   publish_results: false
+
+    # (Optional) Enable Branch-Protection check:
+    # secrets:
+    #   scorecard_token: ${{ secrets.SCORECARD_TOKEN }}