From 813a8251528830defc8d1d9e3b20ba7640225d7d Mon Sep 17 00:00:00 2001 From: Rob Bos Date: Fri, 16 Dec 2022 17:55:56 +0100 Subject: [PATCH] Complete the list of required actions (#1044) Signed-off-by: Rob Bos Signed-off-by: Rob Bos --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c495069..11b9b3c8 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,11 @@ Starting from scorecard-action:v2, `GITHUB_TOKEN` permissions or job permissions `id-token: write` for `publish_results: true`. This is needed to access GitHub's OIDC token which verifies the authenticity of the result when publishing it. -scorecard-action:v2 has a new requirement for the job running the ossf/scorecard-action step. The step running this job must belong to this approved list of GitHub actions: +scorecard-action:v2 has a new requirement for the job running the ossf/scorecard-action step. The steps running in this job must belong to this approved list of GitHub actions: - "actions/checkout" - "actions/upload-artifact" - "github/codeql-action/upload-sarif" +- "ossf/scorecard-action" If you are using custom steps in the job, it may fail. We understand that this is restrictive, but currently it's necessary to ensure the integrity of the results that we publish, since GitHub workflow steps run in the same environment as the job they belong to.