From 1a7f124d928661df6039cb24a3551ca55c51fbf2 Mon Sep 17 00:00:00 2001 From: Rob Bos Date: Fri, 16 Dec 2022 13:52:04 +0100 Subject: [PATCH] Complete the list of required actions Signed-off-by: Rob Bos --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c495069..11b9b3c8 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,11 @@ Starting from scorecard-action:v2, `GITHUB_TOKEN` permissions or job permissions `id-token: write` for `publish_results: true`. This is needed to access GitHub's OIDC token which verifies the authenticity of the result when publishing it. -scorecard-action:v2 has a new requirement for the job running the ossf/scorecard-action step. The step running this job must belong to this approved list of GitHub actions: +scorecard-action:v2 has a new requirement for the job running the ossf/scorecard-action step. The steps running in this job must belong to this approved list of GitHub actions: - "actions/checkout" - "actions/upload-artifact" - "github/codeql-action/upload-sarif" +- "ossf/scorecard-action" If you are using custom steps in the job, it may fail. We understand that this is restrictive, but currently it's necessary to ensure the integrity of the results that we publish, since GitHub workflow steps run in the same environment as the job they belong to.