Add scorecard-enforcer.yml prevention workflow

hyperpolymath · hyperpolymath · commit 6fc717f0dbf9 · 2025-12-29T17:09:45.000Z
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
@@ -0,0 +1,72 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Prevention workflow - runs OpenSSF Scorecard and fails on low scores
+name: OpenSSF Scorecard Enforcer
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write  # For OIDC
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        with:
+          sarif_file: results.sarif
+
+      - name: Check minimum score
+        run: |
+          # Parse score from results
+          SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0")
+
+          echo "OpenSSF Scorecard Score: $SCORE"
+
+          # Minimum acceptable score (0-10 scale)
+          MIN_SCORE=5
+
+          if [ "$(echo "$SCORE < $MIN_SCORE" | bc -l)" = "1" ]; then
+            echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE"
+            exit 1
+          fi
+
+  # Check specific high-priority items
+  check-critical:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: Check SECURITY.md exists
+        run: |
+          if [ ! -f "SECURITY.md" ]; then
+            echo "::error::SECURITY.md is required"
+            exit 1
+          fi
+
+      - name: Check for pinned dependencies
+        run: |
+          # Check workflows for unpinned actions
+          unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
+          if [ -n "$unpinned" ]; then
+            echo "::warning::Found unpinned actions:"
+            echo "$unpinned"
+          fi
