(feat): Mago initial add (#1929) #216

	name: OSSF Scorecard

	on:
	push:
	branches:
	- main
	schedule:
	- cron: "17 0 * * 1" # once a week
	workflow_dispatch:

	permissions: read-all

	jobs:
	analysis:
	runs-on: ubuntu-latest
	permissions:
	# Needed for Code scanning upload
	security-events: write
	# Needed for GitHub OIDC token if publish_results is true
	id-token: write
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: true
	# file_mode is needed in this repo because .gitattributes excludes the .github directory
	# (see https://github.com/ossf/scorecard/issues/4679#issuecomment-3013550752)
	file_mode: git

	# Upload the results as artifacts (optional). Commenting out will disable
	# uploads of run results in SARIF format to the repository Actions tab.
	# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
	- name: "Upload artifact"
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 5

	# Upload the results to GitHub's code scanning dashboard (optional).
	# Commenting out will disable upload of results to your repo's Code Scanning dashboard
	- name: "Upload to code-scanning"
	uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4.34.0
	with:
	sarif_file: results.sarif

Provide feedback