👷 support for OpenSSF Scorecard (#23)

👷 support for OpenSSF Scorecard

💬 updated community health pages

Author: gimlichael

.github/workflows/pipelines.yml

@@ -3,10 +3,19 @@ on:
   pull_request:
     branches: [main]
     paths-ignore:
-      - .codecov
-      - .docfx
-      - .github
-      - .nuget
+      - .codecov/**
+      - .docfx/**
+      - .github/**
+      - .nuget/**
+      - '**.md'
+  push:
+    branches: [main]
+    paths-ignore:
+      - .codecov/**
+      - .docfx/**
+      - .github/**
+      - .nuget/**
+      - '**.md'
   workflow_dispatch:
     inputs:
       configuration:

.github/workflows/scorecard.yml

@@ -0,0 +1,42 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '45 17 * * 2'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@v2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

README.md

@@ -2,7 +2,7 @@
 
 # Extensions for xUnit API by Codebelt
 
-[![xUnit Ext. CI/CD Pipeline](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/xunit/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/xunit) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=alert_status)](https://sonarcloud.io/dashboard?id=xunit) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=security_rating)](https://sonarcloud.io/dashboard?id=xunit)
+[![xUnit Ext. CI/CD Pipeline](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/xunit/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/xunit) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=alert_status)](https://sonarcloud.io/dashboard?id=xunit) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=security_rating)](https://sonarcloud.io/dashboard?id=xunit) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/codebeltnet/xunit/badge)](https://scorecard.dev/viewer/?uri=github.com/codebeltnet/xunit)
 
 An open-source project (MIT license) that targets and complements the [xUnit.net](https://xunit.net/) test platform. It provides a uniform and convenient way of doing unit test for all project types in .NET.