ci: add scorecard-monitor integration with results file

justaugustus · claude · justaugustus · commit 0977e0bfe251 · 2026-03-28T07:35:22.000-04:00
Update the Allstar workflow to: - Use the results-json-output branch (includes SARIF upload + results file output) - Pass -results-file to produce Scorecard JSON v2 output - Add a monitor job that feeds the results into scorecard-monitor for dashboard reporting The monitor job uses scorecard-monitor's results-path input (ossf/scorecard-monitor#90) to consume Allstar's output and generate a Markdown report with score history. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
diff --git a/.github/workflows/allstar.yml b/.github/workflows/allstar.yml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ossf/allstar
-          ref: evidence-upload
+          ref: results-json-output
           persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
@@ -45,7 +45,7 @@ jobs:
           APP_ID: ${{ vars.APP_ID }}
           PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
         run: |
-          ./allstar -once -policy "OpenSSF Scorecard" 2> "$ARTIFACT_DIR/allstar.log" | tee "$ARTIFACT_DIR/allstar.out"
+          ./allstar -once -policy "OpenSSF Scorecard" -results-file "$ARTIFACT_DIR/results.json" 2> "$ARTIFACT_DIR/allstar.log" | tee "$ARTIFACT_DIR/allstar.out"
           if [ -s "$ARTIFACT_DIR/allstar.log" ]; then
             echo "==== Errors ===="
             cat "$ARTIFACT_DIR/allstar.log"
@@ -56,3 +56,26 @@ jobs:
         with:
           name: allstar-scan
           path: ${{ env.ARTIFACT_DIR }}
+
+  monitor:
+    runs-on: ubuntu-latest
+    needs: scan
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Download scan artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: allstar-scan
+          path: ${{ env.ARTIFACT_DIR }}
+      - name: OpenSSF Scorecard Monitor
+        uses: ossf/scorecard-monitor@local-results # TODO: pin to release once merged
+        with:
+          results-path: ${{ env.ARTIFACT_DIR }}/results.json
+          database: reporting/database.json
+          report: reporting/scorecard-report.md
+          auto-commit: true
+          auto-push: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
