Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

Merging this PR will not alter performance

✅ 16 untouched benchmarks

_{Comparing ossf-scorecord (05134fc) with main (5812053)}

Greptile Summary

This PR adds a new GitHub Actions workflow (.github/workflows/scorecard.yml) to integrate the OpenSSF Scorecard supply-chain security scanner, which periodically evaluates the repository's security posture and uploads results to GitHub Code Scanning (SARIF).

Positive aspects:

• All third-party actions are pinned to full SHA hashes — excellent supply-chain hygiene.
• persist-credentials: false is correctly set on checkout.
• Follows the branch_protection_rule + schedule + push-to-default-branch trigger pattern recommended by OpenSSF.

Issues found:

• The job-level permissions block omits contents: read and actions: read. When job-level permissions are specified explicitly, all unspecified scopes are set to none, overriding the top-level read-all. The ossf/scorecard-action needs contents: read to run most checks, and github/codeql-action/upload-sarif needs actions: read to upload results. The comment labelling these as "private repo only" is incorrect per the official template.

Confidence Score: 3/5

The workflow will likely run with degraded or no results due to missing required permissions; needs a one-line fix before it works correctly.

There is a clear P1 defect: the job-level permissions override read-all and drop contents: read and actions: read, which are required by the scorecard action and SARIF upload step for all repository types. The fix is straightforward, but the workflow as written will not produce complete scorecard results.

.github/workflows/scorecard.yml — job-level permissions block needs contents: read and actions: read added.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Events
    participant Runner as ubuntu-latest Runner
    participant Checkout as actions/checkout
    participant Scorecard as ossf/scorecard-action
    participant Artifact as actions/upload-artifact
    participant CodeScanning as github/codeql-action/upload-sarif

    GH->>Runner: Trigger workflow
    Runner->>Checkout: Checkout code (persist-credentials: false)
    Checkout-->>Runner: Repository contents
    Runner->>Scorecard: Run scorecard analysis
    Scorecard-->>Runner: results.sarif
    Runner->>Artifact: Upload results.sarif (retention: 5 days)
    Runner->>CodeScanning: Upload results.sarif to Code Scanning

_{Reviews (1): Last reviewed commit: "Create scorecard.yml" | Re-trigger Greptile}