OSS Scorecard Results Check #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OSS Scorecard Results Check | |
| on: | |
| push: | |
| branches: | |
| - 'post-scorecard-check' | |
| workflow_dispatch: | |
| workflow_run: | |
| workflows: ['OSS Scorecard'] | |
| types: | |
| - completed | |
| env: | |
| SLACK_CHANNEL: '#ci-chart-gate' | |
| AG_LIBRARY: charts | |
| THRESHOLD: 7.5 | |
| REPORT_FILE: ./ctrf-report.json | |
| permissions: read-all | |
| jobs: | |
| check_results: | |
| name: Scorecard Results Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 # shallow copy | |
| - name: 'Check Results' | |
| id: check_results | |
| uses: actions/github-script@v7 | |
| continue-on-error: true | |
| with: | |
| result-encoding: string | |
| script: | | |
| const fs = require('fs'); | |
| async function exec() { | |
| const { | |
| belowThreshold | |
| } = require('./external/ag-shared/scripts/ossf-scorecard/getAndCheckResults.mjs'); | |
| const result = await belowThreshold( | |
| process.env.AG_LIBRARY, | |
| process.env.THRESHOLD | |
| ); | |
| const passed = !result; | |
| const failed = result; | |
| const skipped = 0; | |
| const report = { results: { summary: { failed, passed, skipped } } }; | |
| fs.writeFileSync('${{ env.REPORT_FILE }}', JSON.stringify(report)); | |
| // Exit with a numeric code to signal step success/failure to GitHub Actions | |
| process.exit(result ? 1 : 0); | |
| } | |
| await exec(); | |
| - name: Slack Notification | |
| if: failure() && (github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request') | |
| uses: ./external/ag-shared/github/actions/slack-integration | |
| with: | |
| AG_LIBRARY: ${{ env.AG_LIBRARY }} | |
| CTRF_REPORT_FILE: ${{ env.REPORT_FILE }} | |
| SLACK_BOT_OAUTH_TOKEN: ${{ secrets.SLACK_BOT_OAUTH_TOKEN }} | |
| SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }} | |
| IS_SUCCESS: ${{ steps.check_results.outcome != 'failure' }} |