fix: add token to scorecards action

2024-06-10 12:49:48 -05:00
parent deedb4de1d
commit cc31941d0d
1 changed files with 9 additions and 2 deletions
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -10,7 +10,7 @@ on:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
-    - cron: '20 7 * * 2'
+    - cron: "20 7 * * 2"
  push:
    branches: ["main"]

@@ -40,6 +40,13 @@ jobs:
        with:
          persist-credentials: false

+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
+        with:
+          app-id: ${{ vars.DOCKER_READ_APP_ID }}
+          private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
+
      - name: "Run analysis"
        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
        with:
@@ -49,7 +56,7 @@ jobs:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # - you are installing Scorecards on a *private* repository
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ steps.app-token.outputs.token }}

          # Public repositories:
          #   - Publish results to OpenSSF REST API for easy access by consumers