ci: Add scorecard-monitor integration with Allstar results (#78)

justaugustus · claude · web-flow · commit 8954ece288c6 · 2026-03-28T07:44:27.000-04:00
* ci: add scorecard-monitor integration with results file Update the Allstar workflow to: - Use the results-json-output branch (includes SARIF upload + results file output) - Pass -results-file to produce Scorecard JSON v2 output - Add a monitor job that feeds the results into scorecard-monitor for dashboard reporting - Use peter-evans/create-pull-request for human review of report updates (matching bloomberg/.github pattern) The monitor job uses scorecard-monitor's results-path input (ossf/scorecard-monitor#90) to consume Allstar's output and generate a Markdown report with score history. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev> * Apply suggestions from code review Co-authored-by: Stephen Augustus <justaugustus@users.noreply.github.com> Signed-off-by: Stephen Augustus <justaugustus@users.noreply.github.com> --------- Signed-off-by: Stephen Augustus <foo@auggie.dev> Signed-off-by: Stephen Augustus <justaugustus@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/allstar.yml b/.github/workflows/allstar.yml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ossf/allstar
-          ref: evidence-upload
+          ref: results-json-output
           persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
@@ -45,7 +45,7 @@ jobs:
           APP_ID: ${{ vars.APP_ID }}
           PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
         run: |
-          ./allstar -once -policy "OpenSSF Scorecard" 2> "$ARTIFACT_DIR/allstar.log" | tee "$ARTIFACT_DIR/allstar.out"
+          ./allstar -once -policy "OpenSSF Scorecard" -results-file "$ARTIFACT_DIR/results.json" 2> "$ARTIFACT_DIR/allstar.log" | tee "$ARTIFACT_DIR/allstar.out"
           if [ -s "$ARTIFACT_DIR/allstar.log" ]; then
             echo "==== Errors ===="
             cat "$ARTIFACT_DIR/allstar.log"
@@ -56,3 +56,40 @@ jobs:
         with:
           name: allstar-scan
           path: ${{ env.ARTIFACT_DIR }}
+
+  monitor:
+    runs-on: ubuntu-latest
+    needs: scan
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Download scan artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: allstar-scan
+          path: ${{ env.ARTIFACT_DIR }}
+      - name: OpenSSF Scorecard Monitor
+        uses: ossf/scorecard-monitor@local-results # TODO: pin to release once merged
+        id: scorecard-monitor
+        with:
+          results-path: ${{ env.ARTIFACT_DIR }}/results.json
+          database: reports/database.json
+          report: reports/scorecard-report.md
+          auto-commit: false
+          auto-push: false
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update Scorecard Monitor report
+          title: Update Scorecard Monitor report
+          body: Automated Scorecard report update from Allstar scan.
+          base: main
+          branch: scorecard-report-update
+          delete-branch: true
