Skip to content

Add Scorecard supply-chain security workflow#5810

Merged
jamadeo merged 1 commit intomainfrom
jackamadeo/ossf-scorecard
Dec 16, 2025
Merged

Add Scorecard supply-chain security workflow#5810
jamadeo merged 1 commit intomainfrom
jackamadeo/ossf-scorecard

Conversation

@jamadeo
Copy link
Collaborator

@jamadeo jamadeo commented Nov 19, 2025

Straight from the template

@jamadeo jamadeo requested review from DOsinga and Copilot November 19, 2025 15:46
Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a GitHub Actions workflow for Scorecard supply-chain security scanning. Scorecard is an OSSF tool that assesses repository security practices and provides actionable recommendations.

Key changes:

  • Adds automated security scanning workflow that runs on branch protection changes, weekly schedule, and main branch pushes
  • Configures SARIF results upload to GitHub's code scanning dashboard for security insights
  • Implements pinned action versions using commit SHAs for supply-chain security

.github/workflows/scorecard.yml
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
Copy link

Copilot AI Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The codeql-action should be pinned to a specific commit SHA like the other actions in this workflow (actions/checkout and ossf/scorecard-action), rather than using a mutable tag reference. This ensures supply-chain security by preventing unexpected changes from tag updates.

Suggested change
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@e5b6e7e2e3e2e2b6e2e2e2e2e2e2e2e2e2e2e2e2 # v3.24.0

Copilot uses AI. Check for mistakes.
@github-actions
Copy link
Contributor

github-actions bot commented Dec 13, 2025

This pull request has been automatically marked as stale because it has not had recent activity for 23 days.

What happens next?

  • If no further activity occurs, this PR will be automatically closed in 7 days
  • To keep this PR active, simply add a comment, push new commits, or add the keep-open label
  • If you believe this PR was marked as stale in error, please comment and we'll review it

Thank you for your contribution! 🚀

@github-actions github-actions bot added the stale label Dec 13, 2025
@jamadeo jamadeo merged commit 4f681c7 into main Dec 16, 2025
22 checks passed
@jamadeo jamadeo deleted the jackamadeo/ossf-scorecard branch December 16, 2025 14:24
aharvard added a commit that referenced this pull request Dec 16, 2025
@aharvard
Merge remote-tracking branch 'origin/main' into feat/add-mcp-app-rend…
d0a30a1 
…erer

* origin/main: (26 commits)
  Don't persist ephemeral extensions when resuming sessions (#5974)
  chore(deps): bump mdast-util-to-hast from 13.2.0 to 13.2.1 in /ui/desktop (#5939)
  chore(deps): bump node-forge from 1.3.1 to 1.3.2 in /documentation (#5898)
  Add Scorecard supply-chain security workflow (#5810)
  Don't show subagent tool when we're a subagent (#6125)
  Fix keyboard shortcut conflict for Focus Goose Window (#5809)
  feat(goose-cli): add feature to disable update (#5886)
  workflow: enable docs-update-recipe-ref (#6132)
  fix: filter tools in Ollama streaming when chat mode is enabled (#6118)
  feat(mcp): platform extension for "code mode" MCP tool calling (#6030)
  workflow: auto-update recipe-reference on release (#5988)
  Document recipe slash commands feature (#6075)
  docs: add GitHub Copilot device flow authentication details (#6123)
  Disallow subagents with no extensions (#5825)
  chore(deps): bump js-yaml in /documentation (#6093)
  feat: external goosed server (#5978)
  fix: Make datetime info message more explicit to prevent LLM confusion about current year (#6101)
  refactor: unify subagent and subrecipe tools into single tool (#5893)
  goose repo is too big for the issue solver workflow worker (#6099)
  fix: use system not developer role in db (#6098)
  ...
zanesq added a commit that referenced this pull request Dec 16, 2025
@zanesq
Merge branch 'main' of github.com:block/goose into zane/working-dir
b3278b5 
* 'main' of github.com:block/goose: (22 commits)
  OpenRouter & Xai streaming (#5873)
  fix: resolve mcp-hermit cleanup path expansion issue (#5953)
  feat: add goose PR reviewer workflow (#6124)
  perf: Avoid repeated MCP queries during streaming responses (#6138)
  Fix YAML serialization for recipes with special characters (#5796)
  Add more posthog analytics (privacy aware) (#6122)
  docs: add Sugar MCP server to extensions registry (#6077)
  Fix tokenState loading on new sessions (#6129)
  bump bedrock dep versions (#6090)
  Don't persist ephemeral extensions when resuming sessions (#5974)
  chore(deps): bump mdast-util-to-hast from 13.2.0 to 13.2.1 in /ui/desktop (#5939)
  chore(deps): bump node-forge from 1.3.1 to 1.3.2 in /documentation (#5898)
  Add Scorecard supply-chain security workflow (#5810)
  Don't show subagent tool when we're a subagent (#6125)
  Fix keyboard shortcut conflict for Focus Goose Window (#5809)
  feat(goose-cli): add feature to disable update (#5886)
  workflow: enable docs-update-recipe-ref (#6132)
  fix: filter tools in Ollama streaming when chat mode is enabled (#6118)
  feat(mcp): platform extension for "code mode" MCP tool calling (#6030)
  workflow: auto-update recipe-reference on release (#5988)
  ...

# Conflicts:
#	ui/desktop/src/App.tsx
#	ui/desktop/src/api/sdk.gen.ts
#	ui/desktop/src/components/ChatInput.tsx
#	ui/desktop/src/components/recipes/RecipesView.tsx
zanesq added a commit that referenced this pull request Dec 16, 2025
@zanesq
Merge branch 'main' of github.com:block/goose into zane/request-param…
d79adad 
…s-predefined-models

* 'main' of github.com:block/goose: (81 commits)
  fix: display shell output as static text instead of spinner (#6041)
  fix : Custom providers with empty API keys show as configured in desktop (#6105)
  Add .agents/skills and ~/.config/agent/skills to skills discovery paths (#6139)
  fix: use instructions for system prompt and prompt for user message in subagents (#6121)
  Fix compaction loop for small models or large input (#5803)
  feat: Centralize theme management with ThemeContext (#6137)
  OpenRouter & Xai streaming (#5873)
  fix: resolve mcp-hermit cleanup path expansion issue (#5953)
  feat: add goose PR reviewer workflow (#6124)
  perf: Avoid repeated MCP queries during streaming responses (#6138)
  Fix YAML serialization for recipes with special characters (#5796)
  Add more posthog analytics (privacy aware) (#6122)
  docs: add Sugar MCP server to extensions registry (#6077)
  Fix tokenState loading on new sessions (#6129)
  bump bedrock dep versions (#6090)
  Don't persist ephemeral extensions when resuming sessions (#5974)
  chore(deps): bump mdast-util-to-hast from 13.2.0 to 13.2.1 in /ui/desktop (#5939)
  chore(deps): bump node-forge from 1.3.1 to 1.3.2 in /documentation (#5898)
  Add Scorecard supply-chain security workflow (#5810)
  Don't show subagent tool when we're a subagent (#6125)
  ...

# Conflicts:
#	crates/goose/src/providers/formats/databricks.rs
@github-actions github-actions bot mentioned this pull request Dec 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@michaelneale michaelneale michaelneale approved these changes

@DOsinga DOsinga Awaiting requested review from DOsinga

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamadeo @michaelneale