Use a fine-grained PAT in scorecard.yml

For additional checks in the scorecard, such as branch protection checks.
author: Darius Jahandarie <djahandarie@gmail.com> 2023-08-20 11:21:42 +0900
committer: GitHub <noreply@github.com> 2023-08-20 11:21:42 +0900
commit: dea8898c9dbfefde038c1648580efd25f974126f (patch)
tree: ec87c13347f7d6a55add48d9e8520b80e2e3c9fe /.github/workflows
parent: 51f0f0c4d1828a4cf715269feeae879fe610f204 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 21927f18..cb9db177 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -16,6 +16,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
+    environment: scorecard
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -41,7 +42,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
author	Darius Jahandarie <djahandarie@gmail.com>	2023-08-20 11:21:42 +0900
committer	GitHub <noreply@github.com>	2023-08-20 11:21:42 +0900
commit	dea8898c9dbfefde038c1648580efd25f974126f (patch)
tree	ec87c13347f7d6a55add48d9e8520b80e2e3c9fe /.github/workflows
parent	51f0f0c4d1828a4cf715269feeae879fe610f204 (diff)