Run scorecards only on pushes to main. (#2546)

* Run scorecards only on pushes to main. This is to prevent the workflow from failing when running in branches with no previous data to compare. It also adds the scorecard badge to the README file. * Add timeout and run_if to ci_yaml_roller.
2025-06-28 22:02:38 +08:00 · 2022-09-02 11:23:41 -07:00
parent fa9b71a3da
commit 84d89af228
3 changed files with 6 additions and 4 deletions
--- a/.ci.yaml
+++ b/.ci.yaml
@ -76,3 +76,6 @@ targets:

  - name: Linux ci_yaml packages roller
    recipe: infra/ci_yaml
+    timeout: 30
+    runIf:
+      - .ci.yaml
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@ -1,9 +1,8 @@
 name: Scorecards supply-chain security
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
  push:
-    branches: [ main ]
+    branches:
+    - main

 # Declare default permissions as read only.
 permissions: read-all
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@

 [![Build Status](https://api.cirrus-ci.com/github/flutter/packages.svg)](https://cirrus-ci.com/github/flutter/packages/main)
 [![Release Status](https://github.com/flutter/packages/actions/workflows/release.yml/badge.svg)](https://github.com/flutter/packages/actions/workflows/release.yml)
-
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/flutter/packages/badge)]
 This repo is a companion repo to the main [flutter repo](
 https://github.com/flutter/flutter). It contains the source code for Flutter's
 first-party packages (i.e., packages developed by the core Flutter team).