Organization-wide Workflow Add Instructions

README.md

@@ -50,7 +50,7 @@ To install the Scorecards GitHub Action, you need to:
 
 4. (Optional) If you install Scorecard on a repository owned by an organization that uses [SAML SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on), be sure to [enable SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on) for your PAT token.
 
-### Workflow Setup
+### Workflow Setup - Single Repository
 1) From your GitHub project's main page, click “Security” in the top ribbon. 
 
 ![image](/images/install01.png)
@@ -75,6 +75,18 @@ Then click "Add More Scanning Tools."
 
 ![image](/images/install04.png)
 
+### Workflow Setup - Organization Wide
+To add the Scorecard workflow to every repository under an organization, use the multi-repo-action tool [multi-repo-action](https://github.com/ossf/scorecard-action/tree/main/multi-repo-action) tool.
+Follow these steps:
+1) `git clone ` scorecard-action & `cd multi-repo-action`
+2) Create an organization Personal Access Token with the same scopes defined [above](#authentication) and set it as an organization secret on GitHub
+3) Create another Personal Access Token with the following scopes:
+    - `repo > public_repo`
+    - `admin:org > read:org`
+4) Set the parameters in `org-workflow-add.go ` using the token from step 3
+5) Run ` go run org-workflow-add.go`
+
+
 ## View Results
 
 To view a list of results from each Scorecards Action run, go to the Security tab and click "Code Scanning Alerts." Click on the individual alerts for more information, including remediation instructions. You will need to click "Show more" to expand the full remediation instructions.