Schedule only, no PR. Minor updates to scorecard

Signed-off-by: Nigel Jones <[email protected]>

.github/workflows/scorecard.yml

@@ -3,16 +3,16 @@ name: Scorecard supply-chain security
 permissions: read-all
 
 on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule: # To guarantee Maintained check is occasionally updated. See
+  branch_protection_rule:
+    # To guarantee Maintained check is occasionally updated. See
+    # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
 
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '29 9 * * 4'
   push:
     branches: [ "main" ]
-  pull_request:
+  # Enable for testing only 
+  #pull_request:
 
 
 jobs:
@@ -52,7 +52,7 @@ jobs:
           # For private repositories:
           #   - `publish_results` will always be set to `false`, regardless
           #     of the value entered here.
-          publish_results: false
+          publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
@@ -61,9 +61,9 @@ jobs:
         with:
           name: SARIF file
           path: results.sarif
-          retention-days: 5
+          retention-days: 28
       # Upload the results to GitHub's code scanning dashboard.
-      #- name: "Upload to code-scanning"
-      #  uses: github/codeql-action/upload-sarif@e949a1676c32f4c215780f7429eb9f00ff18b225 # pin@v2
-      #  with:
-      #    sarif_file: results.sarif
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # pin@v3
+        with:
+          sarif_file: results.sarif