Uptake Scorecard workflow

.github/workflows/CreateBuildTag.yaml

@@ -8,13 +8,14 @@ on:
 
 run-name: "[${{ github.ref_name }}] Create build tag"
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   CreateTag:
     if: github.event.workflow_run.conclusion == 'success'
     runs-on: windows-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/MSDO.yml

@@ -6,14 +6,15 @@ on:
   pull_request:
     branches: [ "main", "releases/*" ]
 
-permissions:
-  id-token: write # This is required for federation to Defender for DevOps
-  security-events: write # This is required to upload SARIF files
+permissions: read-all
 
 jobs:
   MSDO:
     name: Run Microsoft Security DevOps Analysis
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for federation to Defender for DevOps
+      security-events: write # This is required to upload SARIF files
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/UpdateBCArtifactVersion.yaml

@@ -9,6 +9,8 @@ defaults:
   run:
     shell: powershell
 
+permissions: read-all
+
 jobs:
   GetBranches:
     name: Get Branches
@@ -28,6 +30,7 @@ jobs:
           $branchMatrix = "[$($branches -join ',')]"
           Write-Host "Updating branches: $branchMatrix"
           Add-Content -Path $env:GITHUB_OUTPUT -Value "UpdateBranches=$branchMatrix"
+
   UpdateBCArtifactVersion:
     name: "[${{ matrix.branch }}] Update BC Artifact Version"
     permissions:

.github/workflows/UpdatePackageVersions.yaml

@@ -9,6 +9,8 @@ defaults:
   run:
     shell: powershell
 
+permissions: read-all
+
 jobs:
   GetBranches:
     name: Get Branches

.github/workflows/powershell.yaml

@@ -12,12 +12,13 @@ on:
 
 permissions:
   contents: read
-  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
 
 jobs:
   build:
     name: PSScriptAnalyzer
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/scorecard-analysis.yml

@@ -0,0 +1,33 @@
+name: Scorecard analysis
+on:
+  workflow_dispatch:
+  schedule:
+    # Weekly on Monday at 08:00 UTC
+    - cron: "0 8 * * 1"
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Needed for Code scanning upload
+      id-token: write # Needed for GitHub OIDC token if publish_results is true
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
+        with:
+          sarif_file: results.sarif