Skip to content

fix: scorecard publish_results=false; add SECURITY.md#37

Merged
ms280690 merged 3 commits into
mainfrom
issue-29-scorecard-publish-fix
Jun 1, 2026
Merged

fix: scorecard publish_results=false; add SECURITY.md#37
ms280690 merged 3 commits into
mainfrom
issue-29-scorecard-publish-fix

Conversation

@ms280690
Copy link
Copy Markdown
Collaborator

@ms280690 ms280690 commented May 29, 2026

Problem

The OpenSSF Scorecard job failed on the first run after merge with:

error sending scorecard results to webapp: workflow verification failed:
workflow has no job that calls ossf/scorecard-action

Root cause: the scorecard webapp verifies that the calling workflow directly invokes ossf/scorecard-action as a job step. Because we wrap it in a composite action (uses: ./.github/actions/scorecard), the webapp can't see the direct call and rejects publication with a 400.

This is a fundamental architectural constraint — composite action wrapping and publish_results: true are incompatible.

Fix

  • Change publish_results default to false in the composite action
  • Update description to document the constraint and workaround
  • Add > Note block to README explaining the limitation

Bonus: SECURITY.md

Scorecard Security-Policy check scored 0/10 because no SECURITY.md existed. Added one with:

  • Email + HTTPS contact (satisfies linking requirement)
  • Free-form disclosure text (satisfies text requirement)
  • vuln/disclos/timeline keywords (satisfies specific-text requirement)

Expected improvement: Security-Policy 0 → 10, overall score 7.0 → ~7.5+

Scorecard score from first run (7.0/10)

Check Score
Dependency-Update-Tool 10 ✅
Binary-Artifacts 10 ✅
Pinned-Dependencies 10 ✅
Dangerous-Workflow 10 ✅
Token-Permissions 10 ✅
Maintained 10 ✅
License 10 ✅
Vulnerabilities 10 ✅
Code-Review 2 (single maintainer)
SAST 2 (zizmor not recognised by scorecard; CodeQL/SonarCloud only)
Security-Policy 0 → fixed by this PR
Branch-Protection -1 (GITHUB_TOKEN can't read classic branch protection — needs admin PAT)
CII-Best-Practices 0 (manual badge application)
Fuzzing 0 (N/A)

🤖 Generated with Claude Code

ms280690 and others added 2 commits May 29, 2026 11:38
@ms280690 @claude
fix: scorecard publish_results=false; add SECURITY.md
e056df2 
scorecard/action.yml:
- Change publish_results default from true to false. The scorecard webapp
  verifies the calling workflow directly invokes ossf/scorecard-action as
  a job step; composite action wrapping hides that call so publication
  always fails with 400 "workflow has no job that calls ossf/scorecard-action".
  SARIF still uploads to GitHub Security tab. Callers wanting public database
  publication must call ossf/scorecard-action directly.
- Update description to document the architectural constraint.

README.md:
- Add note explaining the publish_results composite-action limitation with
  workaround instructions.

SECURITY.md:
- Add security policy satisfying scorecard Security-Policy check criteria:
  email contact, HTTPS URL, free-form disclosure text, vuln/disclosure
  keywords, 30/90-day timeline.
- Improves scorecard Security-Policy score from 0 → expected 10.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ms280690 @claude
fix(ci): remove paths filter — run CI on all pushes to main
5eec5b9 
The .github/** paths filter caused CI to skip on doc/README-only pushes.
This improved SAST and CI-Tests scorecard checks require CI to run on every
commit to main to score higher. Remove the filter so all pushes trigger the
full job matrix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ms280690 ms280690 self-assigned this May 29, 2026
@ms280690 @claude
fix(scorecard): remove id-token:write, simplify if condition, strengt…
a313477 
…hen publish_results warning

ci.yml:
- Remove id-token: write from scorecard job — publish_results defaults to false,
  no OIDC token is ever consumed; permission was dangling over-privilege
- Simplify scorecard if: condition — github.ref == 'refs/heads/main' already
  excludes PRs (they use refs/pull/*/merge), making the event_name check redundant

scorecard/action.yml:
- Remove id-token: write from required permissions in description
- Upgrade publish_results warning from NOTE to WARNING with explicit HTTP 400
  error message; input retained for callers who read docs but footgun is clear

README.md:
- Remove id-token: write from scorecard example and prose
- Update table row: publish_results default was incorrectly shown as true
- Warn callers explicitly that setting publish_results: true always fails

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ms280690 ms280690 merged commit 415f1c0 into main Jun 1, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gridcell gridcell Awaiting requested review from gridcell

@michaelconnor00 michaelconnor00 Awaiting requested review from michaelconnor00

Assignees

@ms280690 ms280690

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ms280690