2022-12-02 02:08:48 +03:00
|
|
|
// Copyright 2020 OpenSSF Scorecard Authors
|
2022-02-01 00:41:42 +03:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
// Package cmd implements Scorecard commandline.
|
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2023-08-26 03:45:20 +03:00
|
|
|
"io"
|
|
|
|
"regexp"
|
|
|
|
"strings"
|
2022-02-01 00:41:42 +03:00
|
|
|
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix pat test messages (#2987)
* also fix pat tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)
* Update osv-scanner dependency to include Vulnerabilities check fixes
Signed-off-by: Laurent Savaëte <laurent@where.tf>
* Run go mod tidy
Signed-off-by: Laurent Savaëte <laurent@where.tf>
---------
Signed-off-by: Laurent Savaëte <laurent@where.tf>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/docker/distribution in /tools (#2993)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 Gitlab: e2e test fixes in main (#2992)
* test secret chagnes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update score
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests log/log.go (#2980)
- Add unit tests for the log package
- Add Apache License to log_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add releasing workflow for semantic-release (#2989)
Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Clarify that AI/ML doesn't count as human code review (#2953)
* Clarify that AI/ML doesn't count as human code review
Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
* Tweaked per review
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---------
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e`
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Clarify AI/ML not human code review - in .yml file (#3012)
This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/maintained.go (#2996)
- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for Policy.go (#3003)
- Included tests for policy.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry (#3025)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included e2e tests for push to main (#2951)
- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included directories that don't require coverage (#3002)
- Included directories that don't require coverage.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/contributors.go (#2998)
- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: Code Review check (#2764)
* Add GitLab support for Code-Review check
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* e2e test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update: test coverage
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* gitlab: license check (#2834)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add support for github GHES (#2999)
* :sparkles: adding support for github GHES
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint and cleanup
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: flaky test
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: address missing host
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint error
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* chore: add GHES instructions
Signed-off-by: Niket Patel <patelniket@gmail.com>
* refact: use test setenv
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: corp unit test
Signed-off-by: Niket Patel <patelniket@gmail.com>
---------
Signed-off-by: Niket Patel <patelniket@gmail.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Change Facilitators to Maintainers (#3039)
Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.
Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Gitlab: Commit/Commitor Exceptions (#3026)
* feat: Added paging for contributor/users against gitlab projects
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the bot flag for unmatched users
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Not all commit users are in the git registry instance
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to prevent linting issue regarding nested if's
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Adding coverage for commits and contributors for gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved queries from the client to their own functions
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Need to pass the ProjectID value to the contributor query
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updating project title versus projectID values for api querying
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated tests to match expected property set for projectID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* revert: Reverted based on feedback during review
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Make all StepSecurity app endpoint references consistent (#3042)
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)
* Update checks.yaml instead of cehcks.md
Signed-off-by: Joyce <joycebrum@google.com>
* feat: generate checks.md
Signed-off-by: Joyce Brum <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Improve workflow pinning remediation tests (#3021)
- Add 3 tests for workflow pinning remediation
[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go
- Included e2e tests for clients/githubrepo/languages_e2e_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the token type check.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for pkg/json_raw_results (#3044)
* :seedling: Unit tests for pkg/json_raw_results.go
- Unit tests for pkg/json_raw_results.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Additional tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add zoom link and agenda link (#3050)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Run E2E PAT test for push to main (#3046)
- Add E2E PAT tests for push to main.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Update main.yml (#3054)
-Fixed the YAML indenting issue.
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* only run e2e pat on push (#3056)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: :ghost: fix anchor link to the code review section (#3058)
* fix anchor link to code-review in checks.yaml
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
* generate checks.md
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
---------
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab: Tests (#3027)
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* use projectID instead of project where applicable
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* pass ref as listcommitoption
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix commitshandler commitSHA tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)
Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Gitlab: Add projects to cron (#2936)
* cron: add gitlab projects
* support gitlab client
* simplify gitlab detection
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix MakeGitlabRepo
* shortcut when repo url is github.com
* fixes add-projects, validate-projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Move gitlab repos to release controller
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add csv headers
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Use gitlab.WithBaseURL
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* formatting & logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* remove spurious test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* consolidate logic
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Turn on experimental flag
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update client
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Simplify caching in docker workflow (#3061)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 gitlab: cron (#3070)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab status updates (#3052)
* doc: Updating gitlab support validation status
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated logic for gitlab to prevent exceptions based on releases
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added initial tests for gitlab branches
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated general README
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Cleaned up the query for pipelines to be focused on the commitID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated status for the CI-Tests
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)
---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* get nuget latest version from registration URL
Signed-off-by: Avishay <avishay.balter@gmail.com>
* better coverage
Signed-off-by: Avishay <avishay.balter@gmail.com>
* sign
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* more tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* client tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* lint
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Apply suggestions from code review
Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` (#3080)
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 2
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 3
Signed-off-by: Avishay <avishay.balter@gmail.com>
* switch security policy e2e test to ossf-tests repo. (#3090)
tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: enable more checks in cron (#3097)
* Enable checks
* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Enable more checks
* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update repo name
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: agenda link change (#3111)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for option (#3109)
- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Don't run pat e2e on dependabot merges (#3119)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section (#3073)
* ✨ Detect fast-check PBT library for fuzz section
As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Typo
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Update missing md files
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
---------
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* i:seedling: Ignore all pb files for test (#3127)
- Update .codecov.yml to ignore additional files
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)
- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Support for new `--format probe` (#3048)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump distroless/base (#3122)
Bumps distroless/base from `10985f0` to `c623859`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Increase test coverage for finding outcomes (#3142)
* Increase test coverage for finding outcomes
- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updates based on Codereview
- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)
* re-enable skipped ci test
Signed-off-by: Spencer Schrock <sschrock@google.com>
* re-enable skipped attestor test. switch to ossf-tests repo
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove extra policies from tests that only look at code review.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded policies from binary artifact tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add license header
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* making the packages internal
Signed-off-by: Avishay <avishay.balter@gmail.com>
* generate mocks
Signed-off-by: Avishay <avishay.balter@gmail.com>
---------
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
|
|
|
ngt "github.com/ossf/scorecard/v4/cmd/internal/nuget"
|
|
|
|
pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
|
2022-02-01 00:41:42 +03:00
|
|
|
sce "github.com/ossf/scorecard/v4/errors"
|
|
|
|
)
|
|
|
|
|
2023-08-26 03:45:20 +03:00
|
|
|
var (
|
|
|
|
githubDomainRegexp = regexp.MustCompile(`^https?://github[.]com/([^/]+)/([^/]+)`)
|
|
|
|
githubSubdomainRegexp = regexp.MustCompile(`^https?://([^.]+)[.]github[.]io/([^/]+).*`)
|
|
|
|
gitlabDomainRegexp = regexp.MustCompile(`^https?://gitlab[.]com/([^/]+)/([^/]+)`)
|
|
|
|
)
|
|
|
|
|
|
|
|
func makeGithubRepo(urlAndPathParts []string) string {
|
|
|
|
if len(urlAndPathParts) < 3 {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
userOrOrg := strings.ToLower(urlAndPathParts[1])
|
|
|
|
repoName := strings.TrimSuffix(strings.ToLower(urlAndPathParts[2]), ".git")
|
|
|
|
if userOrOrg == "sponsors" {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("https://github.com/%s/%s", userOrOrg, repoName)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Both GitHub and GitLab are case insensitive (and thus we lowercase those URLS)
|
|
|
|
// however generic URLs are indeed case sensitive!
|
|
|
|
var pypiMatchers = []func(string) string{
|
|
|
|
func(url string) string {
|
|
|
|
return makeGithubRepo(githubDomainRegexp.FindStringSubmatch(url))
|
|
|
|
},
|
|
|
|
|
|
|
|
func(url string) string {
|
|
|
|
return makeGithubRepo(githubSubdomainRegexp.FindStringSubmatch(url))
|
|
|
|
},
|
|
|
|
|
|
|
|
func(url string) string {
|
|
|
|
match := gitlabDomainRegexp.FindStringSubmatch(url)
|
|
|
|
if len(match) >= 3 {
|
|
|
|
return strings.ToLower(fmt.Sprintf("https://gitlab.com/%s/%s", match[1], match[2]))
|
|
|
|
}
|
|
|
|
return ""
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2022-02-01 00:41:42 +03:00
|
|
|
type packageMangerResponse struct {
|
|
|
|
associatedRepo string
|
|
|
|
exists bool
|
|
|
|
}
|
|
|
|
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix pat test messages (#2987)
* also fix pat tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)
* Update osv-scanner dependency to include Vulnerabilities check fixes
Signed-off-by: Laurent Savaëte <laurent@where.tf>
* Run go mod tidy
Signed-off-by: Laurent Savaëte <laurent@where.tf>
---------
Signed-off-by: Laurent Savaëte <laurent@where.tf>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/docker/distribution in /tools (#2993)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 Gitlab: e2e test fixes in main (#2992)
* test secret chagnes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update score
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests log/log.go (#2980)
- Add unit tests for the log package
- Add Apache License to log_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add releasing workflow for semantic-release (#2989)
Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Clarify that AI/ML doesn't count as human code review (#2953)
* Clarify that AI/ML doesn't count as human code review
Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
* Tweaked per review
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---------
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e`
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Clarify AI/ML not human code review - in .yml file (#3012)
This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/maintained.go (#2996)
- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for Policy.go (#3003)
- Included tests for policy.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry (#3025)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included e2e tests for push to main (#2951)
- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included directories that don't require coverage (#3002)
- Included directories that don't require coverage.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/contributors.go (#2998)
- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: Code Review check (#2764)
* Add GitLab support for Code-Review check
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* e2e test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update: test coverage
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* gitlab: license check (#2834)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add support for github GHES (#2999)
* :sparkles: adding support for github GHES
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint and cleanup
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: flaky test
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: address missing host
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint error
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* chore: add GHES instructions
Signed-off-by: Niket Patel <patelniket@gmail.com>
* refact: use test setenv
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: corp unit test
Signed-off-by: Niket Patel <patelniket@gmail.com>
---------
Signed-off-by: Niket Patel <patelniket@gmail.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Change Facilitators to Maintainers (#3039)
Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.
Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Gitlab: Commit/Commitor Exceptions (#3026)
* feat: Added paging for contributor/users against gitlab projects
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the bot flag for unmatched users
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Not all commit users are in the git registry instance
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to prevent linting issue regarding nested if's
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Adding coverage for commits and contributors for gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved queries from the client to their own functions
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Need to pass the ProjectID value to the contributor query
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updating project title versus projectID values for api querying
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated tests to match expected property set for projectID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* revert: Reverted based on feedback during review
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Make all StepSecurity app endpoint references consistent (#3042)
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)
* Update checks.yaml instead of cehcks.md
Signed-off-by: Joyce <joycebrum@google.com>
* feat: generate checks.md
Signed-off-by: Joyce Brum <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Improve workflow pinning remediation tests (#3021)
- Add 3 tests for workflow pinning remediation
[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go
- Included e2e tests for clients/githubrepo/languages_e2e_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the token type check.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for pkg/json_raw_results (#3044)
* :seedling: Unit tests for pkg/json_raw_results.go
- Unit tests for pkg/json_raw_results.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Additional tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add zoom link and agenda link (#3050)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Run E2E PAT test for push to main (#3046)
- Add E2E PAT tests for push to main.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Update main.yml (#3054)
-Fixed the YAML indenting issue.
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* only run e2e pat on push (#3056)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: :ghost: fix anchor link to the code review section (#3058)
* fix anchor link to code-review in checks.yaml
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
* generate checks.md
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
---------
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab: Tests (#3027)
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* use projectID instead of project where applicable
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* pass ref as listcommitoption
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix commitshandler commitSHA tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)
Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Gitlab: Add projects to cron (#2936)
* cron: add gitlab projects
* support gitlab client
* simplify gitlab detection
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix MakeGitlabRepo
* shortcut when repo url is github.com
* fixes add-projects, validate-projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Move gitlab repos to release controller
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add csv headers
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Use gitlab.WithBaseURL
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* formatting & logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* remove spurious test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* consolidate logic
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Turn on experimental flag
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update client
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Simplify caching in docker workflow (#3061)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 gitlab: cron (#3070)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab status updates (#3052)
* doc: Updating gitlab support validation status
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated logic for gitlab to prevent exceptions based on releases
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added initial tests for gitlab branches
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated general README
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Cleaned up the query for pipelines to be focused on the commitID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated status for the CI-Tests
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)
---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* get nuget latest version from registration URL
Signed-off-by: Avishay <avishay.balter@gmail.com>
* better coverage
Signed-off-by: Avishay <avishay.balter@gmail.com>
* sign
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* more tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* client tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* lint
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Apply suggestions from code review
Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` (#3080)
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 2
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 3
Signed-off-by: Avishay <avishay.balter@gmail.com>
* switch security policy e2e test to ossf-tests repo. (#3090)
tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: enable more checks in cron (#3097)
* Enable checks
* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Enable more checks
* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update repo name
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: agenda link change (#3111)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for option (#3109)
- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Don't run pat e2e on dependabot merges (#3119)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section (#3073)
* ✨ Detect fast-check PBT library for fuzz section
As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Typo
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Update missing md files
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
---------
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* i:seedling: Ignore all pb files for test (#3127)
- Update .codecov.yml to ignore additional files
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)
- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Support for new `--format probe` (#3048)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump distroless/base (#3122)
Bumps distroless/base from `10985f0` to `c623859`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Increase test coverage for finding outcomes (#3142)
* Increase test coverage for finding outcomes
- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updates based on Codereview
- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)
* re-enable skipped ci test
Signed-off-by: Spencer Schrock <sschrock@google.com>
* re-enable skipped attestor test. switch to ossf-tests repo
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove extra policies from tests that only look at code review.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded policies from binary artifact tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add license header
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* making the packages internal
Signed-off-by: Avishay <avishay.balter@gmail.com>
* generate mocks
Signed-off-by: Avishay <avishay.balter@gmail.com>
---------
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
|
|
|
func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems, nuget string,
|
|
|
|
manager pmc.Client,
|
2022-03-23 05:23:39 +03:00
|
|
|
) (packageMangerResponse, error) {
|
2022-02-01 00:41:42 +03:00
|
|
|
if npm != "" {
|
2022-03-09 08:36:23 +03:00
|
|
|
gitRepo, err := fetchGitRepositoryFromNPM(npm, manager)
|
2022-02-01 00:41:42 +03:00
|
|
|
return packageMangerResponse{
|
|
|
|
exists: true,
|
|
|
|
associatedRepo: gitRepo,
|
|
|
|
}, err
|
|
|
|
}
|
|
|
|
if pypi != "" {
|
2022-03-09 08:36:23 +03:00
|
|
|
gitRepo, err := fetchGitRepositoryFromPYPI(pypi, manager)
|
2022-02-01 00:41:42 +03:00
|
|
|
return packageMangerResponse{
|
|
|
|
exists: true,
|
|
|
|
associatedRepo: gitRepo,
|
|
|
|
}, err
|
|
|
|
}
|
|
|
|
if rubygems != "" {
|
2022-03-09 08:36:23 +03:00
|
|
|
gitRepo, err := fetchGitRepositoryFromRubyGems(rubygems, manager)
|
2022-02-01 00:41:42 +03:00
|
|
|
return packageMangerResponse{
|
|
|
|
exists: true,
|
|
|
|
associatedRepo: gitRepo,
|
|
|
|
}, err
|
|
|
|
}
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix pat test messages (#2987)
* also fix pat tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)
* Update osv-scanner dependency to include Vulnerabilities check fixes
Signed-off-by: Laurent Savaëte <laurent@where.tf>
* Run go mod tidy
Signed-off-by: Laurent Savaëte <laurent@where.tf>
---------
Signed-off-by: Laurent Savaëte <laurent@where.tf>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/docker/distribution in /tools (#2993)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 Gitlab: e2e test fixes in main (#2992)
* test secret chagnes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update score
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests log/log.go (#2980)
- Add unit tests for the log package
- Add Apache License to log_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add releasing workflow for semantic-release (#2989)
Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Clarify that AI/ML doesn't count as human code review (#2953)
* Clarify that AI/ML doesn't count as human code review
Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
* Tweaked per review
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---------
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e`
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Clarify AI/ML not human code review - in .yml file (#3012)
This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/maintained.go (#2996)
- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for Policy.go (#3003)
- Included tests for policy.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry (#3025)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included e2e tests for push to main (#2951)
- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included directories that don't require coverage (#3002)
- Included directories that don't require coverage.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/contributors.go (#2998)
- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: Code Review check (#2764)
* Add GitLab support for Code-Review check
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* e2e test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update: test coverage
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* gitlab: license check (#2834)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add support for github GHES (#2999)
* :sparkles: adding support for github GHES
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint and cleanup
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: flaky test
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: address missing host
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint error
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* chore: add GHES instructions
Signed-off-by: Niket Patel <patelniket@gmail.com>
* refact: use test setenv
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: corp unit test
Signed-off-by: Niket Patel <patelniket@gmail.com>
---------
Signed-off-by: Niket Patel <patelniket@gmail.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Change Facilitators to Maintainers (#3039)
Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.
Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Gitlab: Commit/Commitor Exceptions (#3026)
* feat: Added paging for contributor/users against gitlab projects
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the bot flag for unmatched users
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Not all commit users are in the git registry instance
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to prevent linting issue regarding nested if's
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Adding coverage for commits and contributors for gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved queries from the client to their own functions
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Need to pass the ProjectID value to the contributor query
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updating project title versus projectID values for api querying
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated tests to match expected property set for projectID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* revert: Reverted based on feedback during review
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Make all StepSecurity app endpoint references consistent (#3042)
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)
* Update checks.yaml instead of cehcks.md
Signed-off-by: Joyce <joycebrum@google.com>
* feat: generate checks.md
Signed-off-by: Joyce Brum <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Improve workflow pinning remediation tests (#3021)
- Add 3 tests for workflow pinning remediation
[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go
- Included e2e tests for clients/githubrepo/languages_e2e_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the token type check.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for pkg/json_raw_results (#3044)
* :seedling: Unit tests for pkg/json_raw_results.go
- Unit tests for pkg/json_raw_results.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Additional tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add zoom link and agenda link (#3050)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Run E2E PAT test for push to main (#3046)
- Add E2E PAT tests for push to main.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Update main.yml (#3054)
-Fixed the YAML indenting issue.
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* only run e2e pat on push (#3056)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: :ghost: fix anchor link to the code review section (#3058)
* fix anchor link to code-review in checks.yaml
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
* generate checks.md
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
---------
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab: Tests (#3027)
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* use projectID instead of project where applicable
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* pass ref as listcommitoption
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix commitshandler commitSHA tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)
Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Gitlab: Add projects to cron (#2936)
* cron: add gitlab projects
* support gitlab client
* simplify gitlab detection
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix MakeGitlabRepo
* shortcut when repo url is github.com
* fixes add-projects, validate-projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Move gitlab repos to release controller
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add csv headers
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Use gitlab.WithBaseURL
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* formatting & logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* remove spurious test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* consolidate logic
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Turn on experimental flag
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update client
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Simplify caching in docker workflow (#3061)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 gitlab: cron (#3070)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab status updates (#3052)
* doc: Updating gitlab support validation status
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated logic for gitlab to prevent exceptions based on releases
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added initial tests for gitlab branches
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated general README
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Cleaned up the query for pipelines to be focused on the commitID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated status for the CI-Tests
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)
---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* get nuget latest version from registration URL
Signed-off-by: Avishay <avishay.balter@gmail.com>
* better coverage
Signed-off-by: Avishay <avishay.balter@gmail.com>
* sign
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* more tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* client tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* lint
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Apply suggestions from code review
Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` (#3080)
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 2
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 3
Signed-off-by: Avishay <avishay.balter@gmail.com>
* switch security policy e2e test to ossf-tests repo. (#3090)
tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: enable more checks in cron (#3097)
* Enable checks
* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Enable more checks
* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update repo name
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: agenda link change (#3111)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for option (#3109)
- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Don't run pat e2e on dependabot merges (#3119)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section (#3073)
* ✨ Detect fast-check PBT library for fuzz section
As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Typo
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Update missing md files
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
---------
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* i:seedling: Ignore all pb files for test (#3127)
- Update .codecov.yml to ignore additional files
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)
- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Support for new `--format probe` (#3048)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump distroless/base (#3122)
Bumps distroless/base from `10985f0` to `c623859`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Increase test coverage for finding outcomes (#3142)
* Increase test coverage for finding outcomes
- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updates based on Codereview
- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)
* re-enable skipped ci test
Signed-off-by: Spencer Schrock <sschrock@google.com>
* re-enable skipped attestor test. switch to ossf-tests repo
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove extra policies from tests that only look at code review.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded policies from binary artifact tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add license header
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* making the packages internal
Signed-off-by: Avishay <avishay.balter@gmail.com>
* generate mocks
Signed-off-by: Avishay <avishay.balter@gmail.com>
---------
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
|
|
|
if nuget != "" {
|
|
|
|
nugetClient := ngt.NugetClient{Manager: manager}
|
|
|
|
gitRepo, err := fetchGitRepositoryFromNuget(nuget, nugetClient)
|
|
|
|
return packageMangerResponse{
|
|
|
|
exists: true,
|
|
|
|
associatedRepo: gitRepo,
|
|
|
|
}, err
|
|
|
|
}
|
2022-02-01 00:41:42 +03:00
|
|
|
|
|
|
|
return packageMangerResponse{}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type npmSearchResults struct {
|
|
|
|
Objects []struct {
|
|
|
|
Package struct {
|
|
|
|
Links struct {
|
|
|
|
Repository string `json:"repository"`
|
|
|
|
} `json:"links"`
|
|
|
|
} `json:"package"`
|
|
|
|
} `json:"objects"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type pypiSearchResults struct {
|
|
|
|
Info struct {
|
2023-08-26 03:45:20 +03:00
|
|
|
ProjectURLs map[string]string `json:"project_urls"`
|
|
|
|
ProjectURL string `json:"project_url"`
|
2022-02-01 00:41:42 +03:00
|
|
|
} `json:"info"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type rubyGemsSearchResults struct {
|
|
|
|
SourceCodeURI string `json:"source_code_uri"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// Gets the GitHub repository URL for the npm package.
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix pat test messages (#2987)
* also fix pat tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)
* Update osv-scanner dependency to include Vulnerabilities check fixes
Signed-off-by: Laurent Savaëte <laurent@where.tf>
* Run go mod tidy
Signed-off-by: Laurent Savaëte <laurent@where.tf>
---------
Signed-off-by: Laurent Savaëte <laurent@where.tf>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/docker/distribution in /tools (#2993)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 Gitlab: e2e test fixes in main (#2992)
* test secret chagnes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update score
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests log/log.go (#2980)
- Add unit tests for the log package
- Add Apache License to log_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add releasing workflow for semantic-release (#2989)
Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Clarify that AI/ML doesn't count as human code review (#2953)
* Clarify that AI/ML doesn't count as human code review
Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
* Tweaked per review
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---------
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e`
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Clarify AI/ML not human code review - in .yml file (#3012)
This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/maintained.go (#2996)
- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for Policy.go (#3003)
- Included tests for policy.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry (#3025)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included e2e tests for push to main (#2951)
- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included directories that don't require coverage (#3002)
- Included directories that don't require coverage.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/contributors.go (#2998)
- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: Code Review check (#2764)
* Add GitLab support for Code-Review check
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* e2e test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update: test coverage
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* gitlab: license check (#2834)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add support for github GHES (#2999)
* :sparkles: adding support for github GHES
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint and cleanup
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: flaky test
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: address missing host
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint error
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* chore: add GHES instructions
Signed-off-by: Niket Patel <patelniket@gmail.com>
* refact: use test setenv
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: corp unit test
Signed-off-by: Niket Patel <patelniket@gmail.com>
---------
Signed-off-by: Niket Patel <patelniket@gmail.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Change Facilitators to Maintainers (#3039)
Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.
Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Gitlab: Commit/Commitor Exceptions (#3026)
* feat: Added paging for contributor/users against gitlab projects
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the bot flag for unmatched users
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Not all commit users are in the git registry instance
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to prevent linting issue regarding nested if's
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Adding coverage for commits and contributors for gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved queries from the client to their own functions
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Need to pass the ProjectID value to the contributor query
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updating project title versus projectID values for api querying
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated tests to match expected property set for projectID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* revert: Reverted based on feedback during review
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Make all StepSecurity app endpoint references consistent (#3042)
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)
* Update checks.yaml instead of cehcks.md
Signed-off-by: Joyce <joycebrum@google.com>
* feat: generate checks.md
Signed-off-by: Joyce Brum <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Improve workflow pinning remediation tests (#3021)
- Add 3 tests for workflow pinning remediation
[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go
- Included e2e tests for clients/githubrepo/languages_e2e_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the token type check.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for pkg/json_raw_results (#3044)
* :seedling: Unit tests for pkg/json_raw_results.go
- Unit tests for pkg/json_raw_results.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Additional tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add zoom link and agenda link (#3050)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Run E2E PAT test for push to main (#3046)
- Add E2E PAT tests for push to main.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Update main.yml (#3054)
-Fixed the YAML indenting issue.
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* only run e2e pat on push (#3056)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: :ghost: fix anchor link to the code review section (#3058)
* fix anchor link to code-review in checks.yaml
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
* generate checks.md
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
---------
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab: Tests (#3027)
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* use projectID instead of project where applicable
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* pass ref as listcommitoption
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix commitshandler commitSHA tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)
Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Gitlab: Add projects to cron (#2936)
* cron: add gitlab projects
* support gitlab client
* simplify gitlab detection
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix MakeGitlabRepo
* shortcut when repo url is github.com
* fixes add-projects, validate-projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Move gitlab repos to release controller
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add csv headers
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Use gitlab.WithBaseURL
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* formatting & logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* remove spurious test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* consolidate logic
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Turn on experimental flag
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update client
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Simplify caching in docker workflow (#3061)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 gitlab: cron (#3070)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab status updates (#3052)
* doc: Updating gitlab support validation status
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated logic for gitlab to prevent exceptions based on releases
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added initial tests for gitlab branches
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated general README
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Cleaned up the query for pipelines to be focused on the commitID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated status for the CI-Tests
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)
---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* get nuget latest version from registration URL
Signed-off-by: Avishay <avishay.balter@gmail.com>
* better coverage
Signed-off-by: Avishay <avishay.balter@gmail.com>
* sign
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* more tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* client tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* lint
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Apply suggestions from code review
Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` (#3080)
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 2
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 3
Signed-off-by: Avishay <avishay.balter@gmail.com>
* switch security policy e2e test to ossf-tests repo. (#3090)
tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: enable more checks in cron (#3097)
* Enable checks
* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Enable more checks
* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update repo name
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: agenda link change (#3111)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for option (#3109)
- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Don't run pat e2e on dependabot merges (#3119)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section (#3073)
* ✨ Detect fast-check PBT library for fuzz section
As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Typo
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Update missing md files
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
---------
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* i:seedling: Ignore all pb files for test (#3127)
- Update .codecov.yml to ignore additional files
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)
- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Support for new `--format probe` (#3048)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump distroless/base (#3122)
Bumps distroless/base from `10985f0` to `c623859`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Increase test coverage for finding outcomes (#3142)
* Increase test coverage for finding outcomes
- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updates based on Codereview
- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)
* re-enable skipped ci test
Signed-off-by: Spencer Schrock <sschrock@google.com>
* re-enable skipped attestor test. switch to ossf-tests repo
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove extra policies from tests that only look at code review.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded policies from binary artifact tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add license header
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* making the packages internal
Signed-off-by: Avishay <avishay.balter@gmail.com>
* generate mocks
Signed-off-by: Avishay <avishay.balter@gmail.com>
---------
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
|
|
|
func fetchGitRepositoryFromNPM(packageName string, packageManager pmc.Client) (string, error) {
|
2022-02-01 00:41:42 +03:00
|
|
|
npmSearchURL := "https://registry.npmjs.org/-/v1/search?text=%s&size=1"
|
2022-03-09 08:36:23 +03:00
|
|
|
resp, err := packageManager.Get(npmSearchURL, packageName)
|
2022-02-01 00:41:42 +03:00
|
|
|
if err != nil {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get npm package json: %v", err))
|
|
|
|
}
|
|
|
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
v := &npmSearchResults{}
|
|
|
|
err = json.NewDecoder(resp.Body).Decode(v)
|
|
|
|
if err != nil {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to parse npm package json: %v", err))
|
|
|
|
}
|
|
|
|
if len(v.Objects) == 0 {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal,
|
|
|
|
fmt.Sprintf("could not find source repo for npm package: %s", packageName))
|
|
|
|
}
|
|
|
|
return v.Objects[0].Package.Links.Repository, nil
|
|
|
|
}
|
|
|
|
|
2023-08-26 03:45:20 +03:00
|
|
|
func findGitRepositoryInPYPIResponse(packageName string, response io.Reader) (string, error) {
|
|
|
|
v := &pypiSearchResults{}
|
|
|
|
err := json.NewDecoder(response).Decode(v)
|
|
|
|
if err != nil {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to parse pypi package json: %v", err))
|
|
|
|
}
|
|
|
|
|
|
|
|
v.Info.ProjectURLs["key_not_used_and_very_unlikely_to_be_present_already"] = v.Info.ProjectURL
|
|
|
|
var validURL string
|
|
|
|
for _, url := range v.Info.ProjectURLs {
|
|
|
|
for _, matcher := range pypiMatchers {
|
|
|
|
repo := matcher(url)
|
|
|
|
if repo == "" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if validURL == "" {
|
|
|
|
validURL = repo
|
|
|
|
} else if validURL != repo {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal,
|
|
|
|
fmt.Sprintf("found too many possible source repos for pypi package: %s", packageName))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if validURL == "" {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal,
|
|
|
|
fmt.Sprintf("could not find source repo for pypi package: %s", packageName))
|
|
|
|
} else {
|
|
|
|
return validURL, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-02-01 00:41:42 +03:00
|
|
|
// Gets the GitHub repository URL for the pypi package.
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix pat test messages (#2987)
* also fix pat tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)
* Update osv-scanner dependency to include Vulnerabilities check fixes
Signed-off-by: Laurent Savaëte <laurent@where.tf>
* Run go mod tidy
Signed-off-by: Laurent Savaëte <laurent@where.tf>
---------
Signed-off-by: Laurent Savaëte <laurent@where.tf>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/docker/distribution in /tools (#2993)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 Gitlab: e2e test fixes in main (#2992)
* test secret chagnes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update score
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests log/log.go (#2980)
- Add unit tests for the log package
- Add Apache License to log_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add releasing workflow for semantic-release (#2989)
Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Clarify that AI/ML doesn't count as human code review (#2953)
* Clarify that AI/ML doesn't count as human code review
Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
* Tweaked per review
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---------
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e`
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Clarify AI/ML not human code review - in .yml file (#3012)
This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/maintained.go (#2996)
- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for Policy.go (#3003)
- Included tests for policy.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry (#3025)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included e2e tests for push to main (#2951)
- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included directories that don't require coverage (#3002)
- Included directories that don't require coverage.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/contributors.go (#2998)
- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: Code Review check (#2764)
* Add GitLab support for Code-Review check
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* e2e test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update: test coverage
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* gitlab: license check (#2834)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add support for github GHES (#2999)
* :sparkles: adding support for github GHES
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint and cleanup
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: flaky test
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: address missing host
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint error
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* chore: add GHES instructions
Signed-off-by: Niket Patel <patelniket@gmail.com>
* refact: use test setenv
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: corp unit test
Signed-off-by: Niket Patel <patelniket@gmail.com>
---------
Signed-off-by: Niket Patel <patelniket@gmail.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Change Facilitators to Maintainers (#3039)
Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.
Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Gitlab: Commit/Commitor Exceptions (#3026)
* feat: Added paging for contributor/users against gitlab projects
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the bot flag for unmatched users
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Not all commit users are in the git registry instance
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to prevent linting issue regarding nested if's
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Adding coverage for commits and contributors for gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved queries from the client to their own functions
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Need to pass the ProjectID value to the contributor query
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updating project title versus projectID values for api querying
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated tests to match expected property set for projectID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* revert: Reverted based on feedback during review
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Make all StepSecurity app endpoint references consistent (#3042)
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)
* Update checks.yaml instead of cehcks.md
Signed-off-by: Joyce <joycebrum@google.com>
* feat: generate checks.md
Signed-off-by: Joyce Brum <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Improve workflow pinning remediation tests (#3021)
- Add 3 tests for workflow pinning remediation
[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go
- Included e2e tests for clients/githubrepo/languages_e2e_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the token type check.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for pkg/json_raw_results (#3044)
* :seedling: Unit tests for pkg/json_raw_results.go
- Unit tests for pkg/json_raw_results.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Additional tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add zoom link and agenda link (#3050)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Run E2E PAT test for push to main (#3046)
- Add E2E PAT tests for push to main.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Update main.yml (#3054)
-Fixed the YAML indenting issue.
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* only run e2e pat on push (#3056)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: :ghost: fix anchor link to the code review section (#3058)
* fix anchor link to code-review in checks.yaml
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
* generate checks.md
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
---------
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab: Tests (#3027)
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* use projectID instead of project where applicable
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* pass ref as listcommitoption
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix commitshandler commitSHA tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)
Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Gitlab: Add projects to cron (#2936)
* cron: add gitlab projects
* support gitlab client
* simplify gitlab detection
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix MakeGitlabRepo
* shortcut when repo url is github.com
* fixes add-projects, validate-projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Move gitlab repos to release controller
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add csv headers
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Use gitlab.WithBaseURL
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* formatting & logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* remove spurious test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* consolidate logic
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Turn on experimental flag
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update client
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Simplify caching in docker workflow (#3061)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 gitlab: cron (#3070)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab status updates (#3052)
* doc: Updating gitlab support validation status
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated logic for gitlab to prevent exceptions based on releases
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added initial tests for gitlab branches
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated general README
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Cleaned up the query for pipelines to be focused on the commitID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated status for the CI-Tests
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)
---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* get nuget latest version from registration URL
Signed-off-by: Avishay <avishay.balter@gmail.com>
* better coverage
Signed-off-by: Avishay <avishay.balter@gmail.com>
* sign
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* more tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* client tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* lint
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Apply suggestions from code review
Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` (#3080)
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 2
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 3
Signed-off-by: Avishay <avishay.balter@gmail.com>
* switch security policy e2e test to ossf-tests repo. (#3090)
tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: enable more checks in cron (#3097)
* Enable checks
* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Enable more checks
* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update repo name
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: agenda link change (#3111)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for option (#3109)
- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Don't run pat e2e on dependabot merges (#3119)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section (#3073)
* ✨ Detect fast-check PBT library for fuzz section
As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Typo
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Update missing md files
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
---------
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* i:seedling: Ignore all pb files for test (#3127)
- Update .codecov.yml to ignore additional files
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)
- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Support for new `--format probe` (#3048)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump distroless/base (#3122)
Bumps distroless/base from `10985f0` to `c623859`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Increase test coverage for finding outcomes (#3142)
* Increase test coverage for finding outcomes
- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updates based on Codereview
- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)
* re-enable skipped ci test
Signed-off-by: Spencer Schrock <sschrock@google.com>
* re-enable skipped attestor test. switch to ossf-tests repo
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove extra policies from tests that only look at code review.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded policies from binary artifact tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add license header
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* making the packages internal
Signed-off-by: Avishay <avishay.balter@gmail.com>
* generate mocks
Signed-off-by: Avishay <avishay.balter@gmail.com>
---------
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
|
|
|
func fetchGitRepositoryFromPYPI(packageName string, manager pmc.Client) (string, error) {
|
2022-02-01 00:41:42 +03:00
|
|
|
pypiSearchURL := "https://pypi.org/pypi/%s/json"
|
2022-03-09 08:36:23 +03:00
|
|
|
resp, err := manager.Get(pypiSearchURL, packageName)
|
2022-02-01 00:41:42 +03:00
|
|
|
if err != nil {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get pypi package json: %v", err))
|
|
|
|
}
|
|
|
|
|
|
|
|
defer resp.Body.Close()
|
2023-08-26 03:45:20 +03:00
|
|
|
return findGitRepositoryInPYPIResponse(packageName, resp.Body)
|
2022-02-01 00:41:42 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// Gets the GitHub repository URL for the rubygems package.
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix pat test messages (#2987)
* also fix pat tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)
* Update osv-scanner dependency to include Vulnerabilities check fixes
Signed-off-by: Laurent Savaëte <laurent@where.tf>
* Run go mod tidy
Signed-off-by: Laurent Savaëte <laurent@where.tf>
---------
Signed-off-by: Laurent Savaëte <laurent@where.tf>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/docker/distribution in /tools (#2993)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 Gitlab: e2e test fixes in main (#2992)
* test secret chagnes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update score
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests log/log.go (#2980)
- Add unit tests for the log package
- Add Apache License to log_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add releasing workflow for semantic-release (#2989)
Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Clarify that AI/ML doesn't count as human code review (#2953)
* Clarify that AI/ML doesn't count as human code review
Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
* Tweaked per review
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---------
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e`
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Clarify AI/ML not human code review - in .yml file (#3012)
This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/maintained.go (#2996)
- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for Policy.go (#3003)
- Included tests for policy.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry (#3025)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included e2e tests for push to main (#2951)
- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included directories that don't require coverage (#3002)
- Included directories that don't require coverage.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/contributors.go (#2998)
- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: Code Review check (#2764)
* Add GitLab support for Code-Review check
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* e2e test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update: test coverage
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* gitlab: license check (#2834)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add support for github GHES (#2999)
* :sparkles: adding support for github GHES
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint and cleanup
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: flaky test
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: address missing host
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint error
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* chore: add GHES instructions
Signed-off-by: Niket Patel <patelniket@gmail.com>
* refact: use test setenv
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: corp unit test
Signed-off-by: Niket Patel <patelniket@gmail.com>
---------
Signed-off-by: Niket Patel <patelniket@gmail.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Change Facilitators to Maintainers (#3039)
Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.
Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Gitlab: Commit/Commitor Exceptions (#3026)
* feat: Added paging for contributor/users against gitlab projects
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the bot flag for unmatched users
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Not all commit users are in the git registry instance
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to prevent linting issue regarding nested if's
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Adding coverage for commits and contributors for gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved queries from the client to their own functions
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Need to pass the ProjectID value to the contributor query
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updating project title versus projectID values for api querying
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated tests to match expected property set for projectID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* revert: Reverted based on feedback during review
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Make all StepSecurity app endpoint references consistent (#3042)
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)
* Update checks.yaml instead of cehcks.md
Signed-off-by: Joyce <joycebrum@google.com>
* feat: generate checks.md
Signed-off-by: Joyce Brum <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Improve workflow pinning remediation tests (#3021)
- Add 3 tests for workflow pinning remediation
[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go
- Included e2e tests for clients/githubrepo/languages_e2e_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the token type check.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for pkg/json_raw_results (#3044)
* :seedling: Unit tests for pkg/json_raw_results.go
- Unit tests for pkg/json_raw_results.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Additional tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add zoom link and agenda link (#3050)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Run E2E PAT test for push to main (#3046)
- Add E2E PAT tests for push to main.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Update main.yml (#3054)
-Fixed the YAML indenting issue.
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* only run e2e pat on push (#3056)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: :ghost: fix anchor link to the code review section (#3058)
* fix anchor link to code-review in checks.yaml
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
* generate checks.md
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
---------
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab: Tests (#3027)
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* use projectID instead of project where applicable
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* pass ref as listcommitoption
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix commitshandler commitSHA tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)
Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Gitlab: Add projects to cron (#2936)
* cron: add gitlab projects
* support gitlab client
* simplify gitlab detection
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix MakeGitlabRepo
* shortcut when repo url is github.com
* fixes add-projects, validate-projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Move gitlab repos to release controller
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add csv headers
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Use gitlab.WithBaseURL
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* formatting & logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* remove spurious test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* consolidate logic
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Turn on experimental flag
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update client
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Simplify caching in docker workflow (#3061)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 gitlab: cron (#3070)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab status updates (#3052)
* doc: Updating gitlab support validation status
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated logic for gitlab to prevent exceptions based on releases
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added initial tests for gitlab branches
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated general README
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Cleaned up the query for pipelines to be focused on the commitID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated status for the CI-Tests
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)
---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* get nuget latest version from registration URL
Signed-off-by: Avishay <avishay.balter@gmail.com>
* better coverage
Signed-off-by: Avishay <avishay.balter@gmail.com>
* sign
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* more tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* client tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* lint
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Apply suggestions from code review
Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` (#3080)
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 2
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 3
Signed-off-by: Avishay <avishay.balter@gmail.com>
* switch security policy e2e test to ossf-tests repo. (#3090)
tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: enable more checks in cron (#3097)
* Enable checks
* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Enable more checks
* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update repo name
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: agenda link change (#3111)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for option (#3109)
- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Don't run pat e2e on dependabot merges (#3119)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section (#3073)
* ✨ Detect fast-check PBT library for fuzz section
As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Typo
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Update missing md files
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
---------
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* i:seedling: Ignore all pb files for test (#3127)
- Update .codecov.yml to ignore additional files
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)
- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Support for new `--format probe` (#3048)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump distroless/base (#3122)
Bumps distroless/base from `10985f0` to `c623859`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Increase test coverage for finding outcomes (#3142)
* Increase test coverage for finding outcomes
- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updates based on Codereview
- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)
* re-enable skipped ci test
Signed-off-by: Spencer Schrock <sschrock@google.com>
* re-enable skipped attestor test. switch to ossf-tests repo
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove extra policies from tests that only look at code review.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded policies from binary artifact tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add license header
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* making the packages internal
Signed-off-by: Avishay <avishay.balter@gmail.com>
* generate mocks
Signed-off-by: Avishay <avishay.balter@gmail.com>
---------
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
|
|
|
func fetchGitRepositoryFromRubyGems(packageName string, manager pmc.Client) (string, error) {
|
2022-02-01 00:41:42 +03:00
|
|
|
rubyGemsSearchURL := "https://rubygems.org/api/v1/gems/%s.json"
|
2022-03-09 08:36:23 +03:00
|
|
|
resp, err := manager.Get(rubyGemsSearchURL, packageName)
|
2022-02-01 00:41:42 +03:00
|
|
|
if err != nil {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get ruby gem json: %v", err))
|
|
|
|
}
|
|
|
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
v := &rubyGemsSearchResults{}
|
|
|
|
err = json.NewDecoder(resp.Body).Decode(v)
|
|
|
|
if err != nil {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to parse ruby gem json: %v", err))
|
|
|
|
}
|
|
|
|
if v.SourceCodeURI == "" {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("could not find source repo for ruby gem: %v", err))
|
|
|
|
}
|
|
|
|
return v.SourceCodeURI, nil
|
|
|
|
}
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix pat test messages (#2987)
* also fix pat tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)
* Update osv-scanner dependency to include Vulnerabilities check fixes
Signed-off-by: Laurent Savaëte <laurent@where.tf>
* Run go mod tidy
Signed-off-by: Laurent Savaëte <laurent@where.tf>
---------
Signed-off-by: Laurent Savaëte <laurent@where.tf>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/docker/distribution in /tools (#2993)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 Gitlab: e2e test fixes in main (#2992)
* test secret chagnes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update score
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests log/log.go (#2980)
- Add unit tests for the log package
- Add Apache License to log_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add releasing workflow for semantic-release (#2989)
Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Clarify that AI/ML doesn't count as human code review (#2953)
* Clarify that AI/ML doesn't count as human code review
Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
* Tweaked per review
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---------
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e`
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `31a8f92` to `685a22e`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Clarify AI/ML not human code review - in .yml file (#3012)
This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/maintained.go (#2996)
- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for Policy.go (#3003)
- Included tests for policy.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry (#3025)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included e2e tests for push to main (#2951)
- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Included directories that don't require coverage (#3002)
- Included directories that don't require coverage.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for checks/raw/contributors.go (#2998)
- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: Code Review check (#2764)
* Add GitLab support for Code-Review check
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* e2e test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update: test coverage
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* gitlab: license check (#2834)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :sparkles: Add support for github GHES (#2999)
* :sparkles: adding support for github GHES
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint and cleanup
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: flaky test
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: address missing host
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: lint error
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)
* :seedling: Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* :seedling: E2E for clients/githubrepo/contributors.go (#2939)
* :seedling: E2E for clients/githubrepo/contributors.go
- Add an end-to-end test for `contributorsHandler`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed based on code review comments.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview comment.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniket@gmail.com>
* chore: add GHES instructions
Signed-off-by: Niket Patel <patelniket@gmail.com>
* refact: use test setenv
Signed-off-by: Niket Patel <patelniket@gmail.com>
* fix: corp unit test
Signed-off-by: Niket Patel <patelniket@gmail.com>
---------
Signed-off-by: Niket Patel <patelniket@gmail.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Change Facilitators to Maintainers (#3039)
Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.
Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :bug: Gitlab: Commit/Commitor Exceptions (#3026)
* feat: Added paging for contributor/users against gitlab projects
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the bot flag for unmatched users
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Not all commit users are in the git registry instance
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to prevent linting issue regarding nested if's
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Adding coverage for commits and contributors for gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved queries from the client to their own functions
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Need to pass the ProjectID value to the contributor query
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updating project title versus projectID values for api querying
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated tests to match expected property set for projectID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* revert: Reverted based on feedback during review
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: Make all StepSecurity app endpoint references consistent (#3042)
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)
* Update checks.yaml instead of cehcks.md
Signed-off-by: Joyce <joycebrum@google.com>
* feat: generate checks.md
Signed-off-by: Joyce Brum <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Improve workflow pinning remediation tests (#3021)
- Add 3 tests for workflow pinning remediation
[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)
* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go
- Included e2e tests for clients/githubrepo/languages_e2e_test.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the token type check.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for pkg/json_raw_results (#3044)
* :seedling: Unit tests for pkg/json_raw_results.go
- Unit tests for pkg/json_raw_results.go
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Additional tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add zoom link and agenda link (#3050)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Run E2E PAT test for push to main (#3046)
- Add E2E PAT tests for push to main.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Update main.yml (#3054)
-Fixed the YAML indenting issue.
Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* only run e2e pat on push (#3056)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: :ghost: fix anchor link to the code review section (#3058)
* fix anchor link to code-review in checks.yaml
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
* generate checks.md
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
---------
Signed-off-by: dasfreak <dasfreak@users.noreply.github.com>
Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab: Tests (#3027)
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* use projectID instead of project where applicable
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* pass ref as listcommitoption
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix commitshandler commitSHA tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)
Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Gitlab: Add projects to cron (#2936)
* cron: add gitlab projects
* support gitlab client
* simplify gitlab detection
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* fix MakeGitlabRepo
* shortcut when repo url is github.com
* fixes add-projects, validate-projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Move gitlab repos to release controller
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add csv headers
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Use gitlab.WithBaseURL
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* formatting & logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* remove spurious test
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* consolidate logic
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Turn on experimental flag
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add projects
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update client
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Simplify caching in docker workflow (#3061)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 gitlab: cron (#3070)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🐛 Gitlab status updates (#3052)
* doc: Updating gitlab support validation status
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated logic for gitlab to prevent exceptions based on releases
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added initial tests for gitlab branches
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated general README
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Cleaned up the query for pipelines to be focused on the commitID
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* doc: Updated status for the CI-Tests
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)
---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* get nuget latest version from registration URL
Signed-off-by: Avishay <avishay.balter@gmail.com>
* better coverage
Signed-off-by: Avishay <avishay.balter@gmail.com>
* sign
Signed-off-by: Avishay <avishay.balter@gmail.com>
* fix tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* more tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* client tests
Signed-off-by: Avishay <avishay.balter@gmail.com>
* lint
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Apply suggestions from code review
Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` (#3080)
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/controller
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/worker
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang in /cron/internal/webhook
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq
Bumps golang from `685a22e` to `690e413`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)
Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)
---
updated-dependencies:
- dependency-name: arduino/setup-protoc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 2
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr iteration 3
Signed-off-by: Avishay <avishay.balter@gmail.com>
* switch security policy e2e test to ossf-tests repo. (#3090)
tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ GitLab: enable more checks in cron (#3097)
* Enable checks
* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Enable more checks
* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* update repo name
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :book: agenda link change (#3111)
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Unit tests for option (#3109)
- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Don't run pat e2e on dependabot merges (#3119)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section (#3073)
* ✨ Detect fast-check PBT library for fuzz section
As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Typo
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* Update missing md files
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
---------
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* i:seedling: Ignore all pb files for test (#3127)
- Update .codecov.yml to ignore additional files
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)
- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ [experimental] Support for new `--format probe` (#3048)
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
* update
Signed-off-by: laurentsimon <laurentsimon@google.com>
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump distroless/base (#3122)
Bumps distroless/base from `10985f0` to `c623859`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Increase test coverage for finding outcomes (#3142)
* Increase test coverage for finding outcomes
- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updates based on Codereview
- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)
* re-enable skipped ci test
Signed-off-by: Spencer Schrock <sschrock@google.com>
* re-enable skipped attestor test. switch to ossf-tests repo
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove extra policies from tests that only look at code review.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded policies from binary artifact tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* add license header
Signed-off-by: Avishay <avishay.balter@gmail.com>
* pr comments
Signed-off-by: Avishay <avishay.balter@gmail.com>
* making the packages internal
Signed-off-by: Avishay <avishay.balter@gmail.com>
* generate mocks
Signed-off-by: Avishay <avishay.balter@gmail.com>
---------
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
|
|
|
|
|
|
|
// Gets the GitHub repository URL for the nuget package.
|
|
|
|
func fetchGitRepositoryFromNuget(packageName string, nugetClient ngt.Client) (string, error) {
|
|
|
|
repositoryURI, err := nugetClient.GitRepositoryByPackageName(packageName)
|
|
|
|
if err != nil {
|
|
|
|
return "", sce.WithMessage(sce.ErrScorecardInternal,
|
|
|
|
fmt.Sprintf("could not find source repo for nuget package: %v", err))
|
|
|
|
}
|
|
|
|
return repositoryURI, nil
|
|
|
|
}
|