From 7e6de1df29a595510cb5f3ac3b61b35db2cf70d8 Mon Sep 17 00:00:00 2001 From: Rohan Khandelwal Date: Fri, 11 Feb 2022 12:23:47 -0800 Subject: [PATCH 1/4] test action --- action.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yaml b/action.yaml index 0054f557..1144d9b1 100644 --- a/action.yaml +++ b/action.yaml @@ -44,3 +44,4 @@ runs: using: "docker" image: "./Dockerfile" + From 0e1a899cdfe1f3ce45cdef383ba1de758e35a3e6 Mon Sep 17 00:00:00 2001 From: Rohan Khandelwal Date: Sun, 20 Mar 2022 19:54:44 -0700 Subject: [PATCH 2/4] instructions for org wide workflow add --- README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a49bee71..f5044ce4 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ To install the Scorecards GitHub Action, you need to: 4. (Optional) If you install Scorecard on a repository owned by an organization that uses [SAML SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on), be sure to [enable SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on) for your PAT token. -### Workflow Setup +### Workflow Setup - Single Repository 1) From your GitHub project's main page, click “Security” in the top ribbon. ![image](/images/install01.png) @@ -75,6 +75,17 @@ Then click "Add More Scanning Tools." ![image](/images/install04.png) +### Workflow Setup - Organization Wide +The scorecard workflow can be automatically added to every repository under an organization using the [multi-repo-action](https://github.com/ossf/scorecard-action/tree/main/multi-repo-action) tool. +1) `git clone ` this repository & `cd multi-repo-action` +2) Create an organization Personal Access Token with the same scopes defined [above](#authentication) and set it as an organization secret on GitHub +3) Create another Personal Access Token with the following scopes: + - `repo > public_repo` + - `admin:org > read:org` +4) Set the parameters in `org-workflow-add.go ` using the token from step #3 +5) Run ` go run org-workflow-add.go` + + ## View Results To view a list of results from each Scorecards Action run, go to the Security tab and click "Code Scanning Alerts." Click on the individual alerts for more information, including remediation instructions. You will need to click "Show more" to expand the full remediation instructions. From 4faf86c25caf1617cb8ddd9f5164d0f99ac2cfc6 Mon Sep 17 00:00:00 2001 From: Rohan Khandelwal Date: Sun, 20 Mar 2022 19:57:03 -0700 Subject: [PATCH 3/4] fixed link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f5044ce4..6b12cd55 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ The scorecard workflow can be automatically added to every repository under an o 3) Create another Personal Access Token with the following scopes: - `repo > public_repo` - `admin:org > read:org` -4) Set the parameters in `org-workflow-add.go ` using the token from step #3 +4) Set the parameters in `org-workflow-add.go ` using the token from step 3 5) Run ` go run org-workflow-add.go` From 3973e3cccdf44a9d556fb8f924c78e5a76fdfb95 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 25 Jul 2022 11:28:23 -0500 Subject: [PATCH 4/4] Updated codereview comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6b12cd55..9ec7e917 100644 --- a/README.md +++ b/README.md @@ -76,8 +76,9 @@ Then click "Add More Scanning Tools." ![image](/images/install04.png) ### Workflow Setup - Organization Wide -The scorecard workflow can be automatically added to every repository under an organization using the [multi-repo-action](https://github.com/ossf/scorecard-action/tree/main/multi-repo-action) tool. -1) `git clone ` this repository & `cd multi-repo-action` +To add the Scorecard workflow to every repository under an organization, use the multi-repo-action tool [multi-repo-action](https://github.com/ossf/scorecard-action/tree/main/multi-repo-action) tool. +Follow these steps: +1) `git clone ` scorecard-action & `cd multi-repo-action` 2) Create an organization Personal Access Token with the same scopes defined [above](#authentication) and set it as an organization secret on GitHub 3) Create another Personal Access Token with the following scopes: - `repo > public_repo`