From 6dea8a1aa4fa8f602d9fbe89c9f49eff8480324f Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Thu, 23 Apr 2026 04:40:29 +0000 Subject: [PATCH] ci(scorecard): trigger after release completion, not every main push MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Adds workflow_run: on release completion → scorecard scans the fresh release artifacts right after they land, so Signed-Releases and Packaging checks see current state. - Adds workflow_dispatch for manual re-scans. - Removes push:branches:[main] — most commits don't change scorecard- visible state; scanning on every merge just burned runner time and published stale reports. - Keeps the weekly Monday schedule as a backstop. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/scorecard.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 56d026e..b239ea4 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,11 +1,20 @@ name: scorecard +# Triggers: +# - workflow_run on completed 'release' runs → scan fresh release assets +# - weekly schedule (Mondays, 06:00 UTC) → backstop against drift +# - branch_protection_rule changes → re-score when policy moves +# - manual workflow_dispatch → on-demand +# Not on every main push — most commits don't change release/scorecard-visible +# state, so we were burning runner time publishing stale results. on: + workflow_run: + workflows: [release] + types: [completed] branch_protection_rule: schedule: - cron: '0 6 * * 1' - push: - branches: [main] + workflow_dispatch: permissions: read-all