From b317b543cc236c952629b2cbbae25852a16bbfce Mon Sep 17 00:00:00 2001
From: Myron Marston <myron@squareup.com>
Date: Fri, 6 Dec 2024 20:33:29 -0800
Subject: [PATCH 1/2] Update GitHub workflows.

I've adapted a couple recommended workflows from https://github.com/block/example-jvm-maven
(`scorecard.yaml` and `security.yaml`) and renamed `push_gem.yaml` to `release.yaml`.
---
 .../workflows/{push_gem.yaml => release.yaml} |  4 +--
 .github/workflows/scorecard.yaml              | 26 +++++++++++++++++++
 .github/workflows/security.yaml               | 22 ++++++++++++++++
 3 files changed, 50 insertions(+), 2 deletions(-)
 rename .github/workflows/{push_gem.yaml => release.yaml} (95%)
 create mode 100644 .github/workflows/scorecard.yaml
 create mode 100644 .github/workflows/security.yaml

diff --git a/.github/workflows/push_gem.yaml b/.github/workflows/release.yaml
similarity index 95%
rename from .github/workflows/push_gem.yaml
rename to .github/workflows/release.yaml
index 0924b72f..a139d094 100644
--- a/.github/workflows/push_gem.yaml
+++ b/.github/workflows/release.yaml
@@ -1,5 +1,5 @@
 # This workflow was generated by https://github.com/rubygems/configure_trusted_publisher
-name: Push Gem
+name: Release
 
 on:
   workflow_dispatch:
@@ -84,7 +84,7 @@ jobs:
           branch: release-v${{ inputs.version }}
           title: "Release v${{ inputs.version }}"
           body: |
-            - [ ] Confirm the [push-gem action](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) succeeded before merging
+            - [ ] Confirm the [release action](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) succeeded before merging
             - [ ] Confirm this version bump should be merged into [${{ github.ref_name }}](https://github.com/${{ github.repository }}/tree/${{ github.ref_name }}) or change the base branch
             - [ ] Review and edit the [GitHub Draft Release](https://github.com/${{ github.repository }}/releases) (can be done after this PR is merged)
 
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
new file mode 100644
index 00000000..7e724f73
--- /dev/null
+++ b/.github/workflows/scorecard.yaml
@@ -0,0 +1,26 @@
+name: Open Source Security Foundation Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+
+  # Manual trigger
+  workflow_dispatch:
+
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: "0 5 * * 1"
+  push:
+    branches: ["main"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  ossf:
+    uses: block/ospo/.github/workflows/scorecard.yml@main
+    secrets: inherit
+    permissions:
+      security-events: write
+      id-token: write
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
new file mode 100644
index 00000000..d1c65f97
--- /dev/null
+++ b/.github/workflows/security.yaml
@@ -0,0 +1,22 @@
+name: Security and License Scans
+
+on:
+  pull_request_target:
+    branches:
+      - main
+
+  push:
+    branches:
+      - main
+
+  # Run every day at 5am UTC
+  schedule:
+    - cron: "0 5 * * *"
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  security-license-scan:
+    uses: block/ospo/.github/workflows/security.yml@main
+    secrets: inherit

From 2786c873c31bbe6ea0e5ce1d6d22d35445f69c9d Mon Sep 17 00:00:00 2001
From: Myron Marston <myron@squareup.com>
Date: Fri, 6 Dec 2024 22:52:30 -0800
Subject: [PATCH 2/2] [temp] enable new workflows on `pull_request` so I can
 see them run before merging.

---
 .github/workflows/scorecard.yaml | 1 +
 .github/workflows/security.yaml  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index 7e724f73..42486207 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -1,5 +1,6 @@
 name: Open Source Security Foundation Scorecard
 on:
+  pull_request:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index d1c65f97..19ba4752 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -1,6 +1,7 @@
 name: Security and License Scans
 
 on:
+  pull_request:
   pull_request_target:
     branches:
       - main