Configure OpenSSF Scorecard's `Pinned-Dependencies` check to block CI

OpenSSF Scorecard is [configured on this repository](https://github.com/google/zerocopy/blob/1552df2cd5f093c0f4d69de352fb642b1c42be3f/.github/workflows/scorecard.yml), but it only runs periodically and generates reports like this one (inserting screen shots since these alerts are not publicly viewable):

<img width="936" alt="Screenshot 2024-08-08 at 8 33 31 AM" src="https://github.com/user-attachments/assets/c0b1fb0d-e402-4f6a-ba1b-526a29d0c947">

<img width="1247" alt="Screenshot 2024-08-08 at 8 34 01 AM" src="https://github.com/user-attachments/assets/ffc37216-d556-4a91-8a3c-8aad85a81183">

It would be better if we could block PRs if they fail this check.

## Mentoring instructions

*Interested in contributing? See our [contributing guide](https://github.com/google/zerocopy/discussions/1318).*

- [ ] Figure out how to run the [Pinned-Dependency](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) check [in CI](https://github.com/google/zerocopy/blob/1552df2cd5f093c0f4d69de352fb642b1c42be3f/.github/workflows/ci.yml)
- [ ] Ensure all dependencies reported by this check are pinned



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configure OpenSSF Scorecard's `Pinned-Dependencies` check to block CI #1579

joshlf
openedon Aug 8, 2024

Mentoring instructions

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Configure OpenSSF Scorecard's Pinned-Dependencies check to block CI #1579

Description

joshlfopenedon Aug 8, 2024