scorecard/Makefile

459 lines
21 KiB
Makefile
Raw Normal View History

SHELL := /bin/bash
GIT_HASH := $(shell git rev-parse HEAD)
GIT_VERSION ?= $(shell git describe --tags --always --dirty)
SOURCE_DATE_EPOCH=$(shell git log --date=iso8601-strict -1 --pretty=%ct)
IMAGE_NAME = scorecard
2021-02-25 22:51:57 +03:00
OUTPUT = output
PLATFORM="linux/amd64,linux/arm64,linux/386,linux/arm"
LDFLAGS=$(shell ./scripts/version-ldflags)
############################### make help #####################################
.PHONY: help
help: ## Display this help
@awk 'BEGIN {FS = ":.*##"; \
printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ \
{ printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } \
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
###############################################################################
##@ Tools
################################ make install #################################
TOOLS_DIR := tools
TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
GOBIN := $(shell go env GOBIN)
# Golang binaries.
GOLANGCI_LINT := $(TOOLS_BIN_DIR)/golangci-lint
$(GOLANGCI_LINT): $(TOOLS_DIR)/go.mod
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint
KO := $(TOOLS_BIN_DIR)/ko
$(KO): $(TOOLS_DIR)/go.mod
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/google/ko
MOCKGEN := $(TOOLS_BIN_DIR)/mockgen
$(MOCKGEN): $(TOOLS_DIR)/go.mod
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/golang/mock/mockgen
GINKGO := $(TOOLS_BIN_DIR)/ginkgo
$(GINKGO): $(TOOLS_DIR)/go.mod
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/onsi/ginkgo/v2/ginkgo
GORELEASER := $(TOOLS_BIN_DIR)/goreleaser
$(GORELEASER): $(TOOLS_DIR)/go.mod
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/goreleaser/goreleaser/v2
PROTOC_GEN_GO := $(TOOLS_BIN_DIR)/protoc-gen-go
$(PROTOC_GEN_GO): $(TOOLS_DIR)/go.mod
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install google.golang.org/protobuf/cmd/protoc-gen-go
# Non-Golang binaries.
# TODO: Figure out how to install these binaries automatically.
PROTOC := $(shell which protoc)
$(PROTOC):
ifeq (,$(PROTOC))
$(error download and install protobuf compiler package - https://developers.google.com/protocol-buffers/docs/downloads)
endif
# Installs required binaries into $(TOOLS_BIN_DIR) wherever possible.
# Keeping a local copy instead of a global install allows for:
# i) Controlling the binary version Scorecard depends on leading to consistent
# behavior across users.
# ii) Avoids installing a whole bunch of otherwise unnecessary tools in the user's workspace.
.PHONY: install
install: ## Installs required binaries.
install: $(GOLANGCI_LINT) \
$(KO) \
$(PROTOC_GEN_GO) $(PROTOC) \
$(MOCKGEN) \
$(GINKGO) \
$(GORELEASER)
###############################################################################
##@ Build
################################## make all ###################################
all: ## Runs build, test and verify
all-targets = build unit-test check-linter validate-docs add-projects validate-projects
.PHONY: all all-targets-update-dependencies $(all-targets) update-dependencies tree-status
all-targets-update-dependencies: $(all-targets) | update-dependencies
all: update-dependencies all-targets-update-dependencies tree-status
update-dependencies: ## Update go dependencies for all modules
# Update root go modules
go mod tidy && go mod verify
cd tools; go mod tidy && go mod verify; cd ../
check-linter: ## Install and run golang linter
check-linter: | $(GOLANGCI_LINT)
# Run golangci-lint linter
$(GOLANGCI_LINT) run -c .golangci.yml
fix-linter: ## Install and run golang linter, with fixes
fix-linter: | $(GOLANGCI_LINT)
# Run golangci-lint linter
$(GOLANGCI_LINT) run -c .golangci.yml --fix
add-projects: ## Adds new projects to ./cron/internal/data/projects.csv and ./cron/internal/data/gitlab-projects.csv
add-projects: ./cron/internal/data/projects.csv | build-add-script
# GitHub
./cron/internal/data/add/add ./cron/internal/data/projects.csv ./cron/internal/data/projects.new.csv
mv ./cron/internal/data/projects.new.csv ./cron/internal/data/projects.csv
# GitLab
./cron/internal/data/add/add ./cron/internal/data/gitlab-projects.csv ./cron/internal/data/gitlab-projects.new.csv
mv ./cron/internal/data/gitlab-projects.new.csv ./cron/internal/data/gitlab-projects.csv
validate-projects: ## Validates ./cron/internal/data/projects.csv
validate-projects: ./cron/internal/data/projects.csv | build-validate-script
# Validate ./cron/internal/data/projects.csv
./cron/internal/data/validate/validate ./cron/internal/data/projects.csv
./cron/internal/data/validate/validate ./cron/internal/data/gitlab-projects.csv
./cron/internal/data/validate/validate ./cron/internal/data/gitlab-projects-releasetest.csv
tree-status: | all-targets-update-dependencies ## Verify tree is clean and all changes are committed
📖 Fix spelling (#3804) * spelling: accurate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: administrator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: analyze Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: andtwenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ascii Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: association Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: at least Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: attestor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: barbaric Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bucket Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: by Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: can Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-insensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-sensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: checking Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: command-line Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: commit Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: conclusion Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: corresponding Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: created Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dataset Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: default Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: defines Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependency Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: depending Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: desired Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: different Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: disclose Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: download Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: each Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enforce Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: every time Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: exist Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: existing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: fields Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: files Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: for Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: force-push Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ignoreed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implementation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implements Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: increase Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: indicates Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: instructions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: invalid Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: marshal Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: match Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: name Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: organization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: package Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: provenance Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: query Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: readers Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: registered Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: remediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: representation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requests Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requires Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: return Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: scorecard Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: separator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: serialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: sign up Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: successfully Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: their Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: twenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unexpected Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unused Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unverified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: validate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vendor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulnerabilities Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulns Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: will Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflow Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflows Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2024-01-27 02:08:26 +03:00
# Verify the tree is clean and all changes are committed
./scripts/tree-status
###############################################################################
################################## make build #################################
## Build all cron-related targets
build-cron: build-controller build-worker build-cii-worker \
build-shuffler build-bq-transfer build-github-server \
build-webhook build-add-script build-validate-script
✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <raghavkaul@google.com> * License, remove golangci.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests for root command Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy, makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Fix GH actions run Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-01 21:30:17 +03:00
build-targets = generate-mocks generate-docs build-scorecard build-cron build-proto build-attestor
.PHONY: build $(build-targets)
2021-09-04 18:39:10 +03:00
build: ## Build all binaries and images in the repo.
build: $(build-targets)
build-proto: ## Compiles and generates all required protobufs
build-proto: cron/data/request.pb.go cron/data/metadata.pb.go
cron/data/request.pb.go: cron/data/request.proto | $(PROTOC) $(PROTOC_GEN_GO)
$(PROTOC) --plugin=$(PROTOC_GEN_GO) --go_out=. --go_opt=paths=source_relative cron/data/request.proto
cron/data/metadata.pb.go: cron/data/metadata.proto | $(PROTOC) $(PROTOC_GEN_GO)
$(PROTOC) --plugin=$(PROTOC_GEN_GO) --go_out=. --go_opt=paths=source_relative cron/data/metadata.proto
generate-mocks: ## Compiles and generates all mocks using mockgen.
generate-mocks: clients/mockclients/repo_client.go \
clients/mockclients/repo.go \
clients/mockclients/cii_client.go \
checks/mockclients/vulnerabilities.go \
✨ add --nuget package manager flag (#3020) * add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * e2e test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update: test coverage Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * gitlab: license check (#2834) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add support for github GHES (#2999) * :sparkles: adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza <jlm@jlm.name> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce <joycebrum@google.com> * feat: generate checks.md Signed-off-by: Joyce Brum <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for pkg/json_raw_results (#3044) * :seedling: Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: :ghost: fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> * generate checks.md Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> --------- Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * use projectID instead of project where applicable Signed-off-by: Raghav Kaul <raghavkaul@google.com> * pass ref as listcommitoption Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Move gitlab repos to release controller Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add csv headers Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul <raghavkaul@google.com> * formatting & logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * remove spurious test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * consolidate logic Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Turn on experimental flag Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update client Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated general README Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * get nuget latest version from registration URL Signed-off-by: Avishay <avishay.balter@gmail.com> * better coverage Signed-off-by: Avishay <avishay.balter@gmail.com> * sign Signed-off-by: Avishay <avishay.balter@gmail.com> * fix tests Signed-off-by: Avishay <avishay.balter@gmail.com> * more tests Signed-off-by: Avishay <avishay.balter@gmail.com> * client tests Signed-off-by: Avishay <avishay.balter@gmail.com> * lint Signed-off-by: Avishay <avishay.balter@gmail.com> * Apply suggestions from code review Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 2 Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 3 Signed-off-by: Avishay <avishay.balter@gmail.com> * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update repo name Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: agenda link change (#3111) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * i:seedling: Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock <sschrock@google.com> * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock <sschrock@google.com> * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add license header Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * making the packages internal Signed-off-by: Avishay <avishay.balter@gmail.com> * generate mocks Signed-off-by: Avishay <avishay.balter@gmail.com> --------- Signed-off-by: Avishay <avishay.balter@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
cmd/internal/packagemanager/packagemanager_mockclient.go \
cmd/internal/nuget/nuget_mockclient.go
clients/mockclients/repo_client.go: clients/repo_client.go | $(MOCKGEN)
# Generating MockRepoClient
$(MOCKGEN) -source=clients/repo_client.go -destination=clients/mockclients/repo_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
clients/mockclients/repo.go: clients/repo.go | $(MOCKGEN)
# Generating MockRepo
$(MOCKGEN) -source=clients/repo.go -destination=clients/mockclients/repo.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
clients/mockclients/cii_client.go: clients/cii_client.go | $(MOCKGEN)
# Generating MockCIIClient
$(MOCKGEN) -source=clients/cii_client.go -destination=clients/mockclients/cii_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
checks/mockclients/vulnerabilities.go: clients/vulnerabilities.go | $(MOCKGEN)
# Generating MockCIIClient
$(MOCKGEN) -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
✨ add --nuget package manager flag (#3020) * add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * e2e test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update: test coverage Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * gitlab: license check (#2834) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add support for github GHES (#2999) * :sparkles: adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza <jlm@jlm.name> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce <joycebrum@google.com> * feat: generate checks.md Signed-off-by: Joyce Brum <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for pkg/json_raw_results (#3044) * :seedling: Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: :ghost: fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> * generate checks.md Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> --------- Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * use projectID instead of project where applicable Signed-off-by: Raghav Kaul <raghavkaul@google.com> * pass ref as listcommitoption Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Move gitlab repos to release controller Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add csv headers Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul <raghavkaul@google.com> * formatting & logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * remove spurious test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * consolidate logic Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Turn on experimental flag Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update client Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated general README Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * get nuget latest version from registration URL Signed-off-by: Avishay <avishay.balter@gmail.com> * better coverage Signed-off-by: Avishay <avishay.balter@gmail.com> * sign Signed-off-by: Avishay <avishay.balter@gmail.com> * fix tests Signed-off-by: Avishay <avishay.balter@gmail.com> * more tests Signed-off-by: Avishay <avishay.balter@gmail.com> * client tests Signed-off-by: Avishay <avishay.balter@gmail.com> * lint Signed-off-by: Avishay <avishay.balter@gmail.com> * Apply suggestions from code review Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 2 Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 3 Signed-off-by: Avishay <avishay.balter@gmail.com> * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update repo name Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: agenda link change (#3111) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * i:seedling: Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock <sschrock@google.com> * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock <sschrock@google.com> * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add license header Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * making the packages internal Signed-off-by: Avishay <avishay.balter@gmail.com> * generate mocks Signed-off-by: Avishay <avishay.balter@gmail.com> --------- Signed-off-by: Avishay <avishay.balter@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
cmd/internal/packagemanager/packagemanager_mockclient.go: cmd/internal/packagemanager/client.go | $(MOCKGEN)
# Generating MockPackageManagerClient
✨ add --nuget package manager flag (#3020) * add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * e2e test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update: test coverage Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * gitlab: license check (#2834) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add support for github GHES (#2999) * :sparkles: adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza <jlm@jlm.name> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce <joycebrum@google.com> * feat: generate checks.md Signed-off-by: Joyce Brum <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for pkg/json_raw_results (#3044) * :seedling: Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: :ghost: fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> * generate checks.md Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> --------- Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * use projectID instead of project where applicable Signed-off-by: Raghav Kaul <raghavkaul@google.com> * pass ref as listcommitoption Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Move gitlab repos to release controller Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add csv headers Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul <raghavkaul@google.com> * formatting & logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * remove spurious test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * consolidate logic Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Turn on experimental flag Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update client Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated general README Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * get nuget latest version from registration URL Signed-off-by: Avishay <avishay.balter@gmail.com> * better coverage Signed-off-by: Avishay <avishay.balter@gmail.com> * sign Signed-off-by: Avishay <avishay.balter@gmail.com> * fix tests Signed-off-by: Avishay <avishay.balter@gmail.com> * more tests Signed-off-by: Avishay <avishay.balter@gmail.com> * client tests Signed-off-by: Avishay <avishay.balter@gmail.com> * lint Signed-off-by: Avishay <avishay.balter@gmail.com> * Apply suggestions from code review Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 2 Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 3 Signed-off-by: Avishay <avishay.balter@gmail.com> * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update repo name Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: agenda link change (#3111) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * i:seedling: Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock <sschrock@google.com> * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock <sschrock@google.com> * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add license header Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * making the packages internal Signed-off-by: Avishay <avishay.balter@gmail.com> * generate mocks Signed-off-by: Avishay <avishay.balter@gmail.com> --------- Signed-off-by: Avishay <avishay.balter@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2023-06-16 02:13:41 +03:00
$(MOCKGEN) -source=cmd/internal/packagemanager/client.go -destination=cmd/internal/packagemanager/packagemanager_mockclient.go -package=packagemanager -copyright_file=clients/mockclients/license.txt
cmd/internal/nuget/nuget_mockclient.go: cmd/internal/nuget/client.go | $(MOCKGEN)
# Generating MockNugetClient
$(MOCKGEN) -source=cmd/internal/nuget/client.go -destination=cmd/internal/nuget/nuget_mockclient.go -package=nuget -copyright_file=clients/mockclients/license.txt
PROBE_DEFINITION_FILES = $(shell find ./probes/ -name "def.yml")
generate-docs: ## Generates docs
generate-docs: validate-docs docs/checks.md docs/checks/internal/checks.yaml docs/checks/internal/*.go docs/checks/internal/generate/*.go \
docs/probes.md $(PROBE_DEFINITION_FILES) docs/probes/internal/generate/*.go
# Generating checks.md
go run ./docs/checks/internal/generate/main.go docs/checks.md
# Generating probes.md
go run ./docs/probes/internal/generate/main.go probes/ > docs/probes.md
validate-docs: docs/checks/internal/generate/main.go
# Validating checks.yaml
go run ./docs/checks/internal/validate/main.go
setup-probe:
go run ./probes/internal/scripts/setup.go $(probeName)
SCORECARD_DEPS = $(shell find . -iname "*.go" | grep -v tools/)
build-scorecard: ## Build Scorecard CLI
build-scorecard: scorecard
scorecard: $(SCORECARD_DEPS)
# Run go build and generate scorecard executable
CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)'
scorecard-docker: ## Build Scorecard CLI Docker image
scorecard-docker: scorecard.docker
scorecard.docker: Dockerfile $(SCORECARD_DEPS)
DOCKER_BUILDKIT=1 docker build . --file Dockerfile \
--tag $(IMAGE_NAME) && \
touch scorecard.docker
build-releaser: ## Build goreleaser for the Scorecard CLI
build-releaser: scorecard.releaser
scorecard.releaser: .goreleaser.yml $(SCORECARD_DEPS) | $(GORELEASER)
2021-11-23 19:56:21 +03:00
# Run go releaser on the Scorecard repo
$(GORELEASER) check && \
VERSION_LDFLAGS="$(LDFLAGS)" $(GORELEASER) release \
--snapshot --clean --skip=publish,sign && \
touch scorecard.releaser
CRON_CONTROLLER_DEPS = $(shell find cron/internal/ -iname "*.go")
build-controller: ## Build cron controller
build-controller: cron/internal/controller/controller
cron/internal/controller/controller: $(CRON_CONTROLLER_DEPS)
# Run go build on the cron PubSub controller
cd cron/internal/controller && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o controller
cron-controller-docker: ## Build cron controller Docker image
cron-controller-docker: cron/internal/controller/controller.docker
cron/internal/controller/controller.docker: cron/internal/controller/Dockerfile $(CRON_CONTROLLER_DEPS)
DOCKER_BUILDKIT=1 docker build . --file cron/internal/controller/Dockerfile \
--tag $(IMAGE_NAME)-batch-controller \
&& touch cron/internal/controller/controller.docker
build-worker: ## Runs go build on the cron PubSub worker
# Run go build on the cron PubSub worker
cd cron/internal/worker && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o worker
CRON_CII_DEPS = $(shell find cron/internal/ clients/ -iname "*.go")
build-cii-worker: ## Build cron CII worker
build-cii-worker: cron/internal/cii/cii-worker
cron/internal/cii/cii-worker: $(CRON_CII_DEPS)
# Run go build on the CII worker
cd cron/internal/cii && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o cii-worker
cron-cii-worker-docker: # Build cron CII worker Docker image
cron-cii-worker-docker: cron/internal/cii/cii-worker.docker
cron/internal/cii/cii-worker.docker: cron/internal/cii/Dockerfile $(CRON_CII_DEPS)
DOCKER_BUILDKIT=1 docker build . --file cron/internal/cii/Dockerfile \
--tag $(IMAGE_NAME)-cii-worker && \
touch cron/internal/cii/cii-worker.docker
CRON_SHUFFLER_DEPS = $(shell find cron/data/ cron/internal/shuffle/ -iname "*.go")
build-shuffler: ## Build cron shuffle script
build-shuffler: cron/internal/shuffle/shuffle
cron/internal/shuffle/shuffle: $(CRON_SHUFFLER_DEPS)
# Run go build on the cron shuffle script
cd cron/internal/shuffle && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o shuffle
CRON_TRANSFER_DEPS = $(shell find cron/data/ cron/config/ cron/internal/bq/ -iname "*.go")
build-bq-transfer: ## Build cron BQ transfer worker
build-bq-transfer: cron/internal/bq/data-transfer
cron/internal/bq/data-transfer: $(CRON_TRANSFER_DEPS)
# Run go build on the Copier cron job
cd cron/internal/bq && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o data-transfer
cron-bq-transfer-docker: ## Build cron BQ transfer worker Docker image
cron-bq-transfer-docker: cron/internal/bq/data-transfer.docker
cron/internal/bq/data-transfer.docker: cron/internal/bq/Dockerfile $(CRON_TRANSFER_DEPS)
DOCKER_BUILDKIT=1 docker build . --file cron/internal/bq/Dockerfile \
--tag $(IMAGE_NAME)-bq-transfer && \
touch cron/internal/bq/data-transfer.docker
✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <raghavkaul@google.com> * License, remove golangci.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests for root command Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy, makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Fix GH actions run Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-01 21:30:17 +03:00
build-attestor: ## Runs go build on scorecard attestor
# Run go build on scorecard attestor
cd attestor/; CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)' -o scorecard-attestor
✨ Commit depth feature (#2407) * :seedling: Bump actions/dependency-review-action from 2.4.1 to 2.5.1 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/9c96258789e5d9e85fe4ca86115ba4cc62b780cf...0efb1d1d84fc9633afcdaad14c485cbbc90ef46c) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * commit_depth feature Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function. small changes Signed-off-by: latortuga71 <christopheralonso1@gmail.com> linter Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * added unit tests Signed-off-by: latortuga71 <christopheralonso1@gmail.com> added test in e2e Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0 Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.25.1...pubsub/v1.26.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.73.1...v0.74.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.20.2...v1.23.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/b953231f81b8dfd023c58e0854a721e35037f28b...b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/goreleaser/goreleaser in /tools (#2373) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](https://github.com/goreleaser/goreleaser/compare/v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * ✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <raghavkaul@google.com> * License, remove golangci.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests for root command Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy, makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Fix GH actions run Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * fix workflow (#2417) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Bump scorecard-action (#2416) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Fail unit-test job if codecov upload fails (#2415) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * 🌱 Enable comparison for alternative isText implementation (#2414) * use more performant IsText Signed-off-by: Spencer Schrock <sschrock@google.com> * AB test isText implementations Signed-off-by: Spencer Schrock <sschrock@google.com> * Add comparison env var to release test. Signed-off-by: Spencer Schrock <sschrock@google.com> * go mod tidy for attestor Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * 🐛 modify alternative isText to accept carriage returns (#2421) * modify IsText from golang.org/x/tools/godoc/util to accept carriage returns. Signed-off-by: Spencer Schrock <sschrock@google.com> * add TODO reminder to cleanup after release tests Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.23.0 to 1.24.0 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.23.0...v1.24.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github/codeql-action from 2.1.29 to 2.1.30 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6...18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * revert failing unit-test on ci error (#2422) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :sparkles: Improved Security Policy Check (#2195) * :sparkles: Improved Security Policy Check (#2137) * Examines and awards points for linked content (URLs / Emails) * Examines and awards points for hints of disclosure and vulnerability practices * Examines and awards points for hints of elaboration of timelines Signed-off-by: Scott Hissam <shissam@gmail.com> * Repaired Security Policy to correctly use linked content length for evaluation Signed-off-by: Scott Hissam <shissam@gmail.com> * gofmt'ed changes Signed-off-by: Scott Hissam <shissam@gmail.com> * Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails Signed-off-by: Scott Hissam <shissam@gmail.com> * added unit test cases for the new content-based Security Policy checks Signed-off-by: Scott Hissam <shissam@gmail.com> * reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs Signed-off-by: Scott Hissam <shissam@gmail.com> * :sparkles: Improved Security Policy Check (#2137) (revisted based on comments) * replaced reason strings with log.Info & log.Warn (as seen in --show-details) * internal assertion check for nil (*pinfo) and empty pfile * internal switched to FileTypeText over FileTypeSource * internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file * revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type Signed-off-by: Scott Hissam <shissam@gmail.com> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <shissam@gmail.com> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <shissam@gmail.com> * revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly Signed-off-by: Scott Hissam <shissam@gmail.com> * Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number Signed-off-by: Scott Hissam <shissam@gmail.com> * Resolved merge conflict with checks.yaml Signed-off-by: Scott Hissam <shissam@gmail.com> * updated raw results to emit all the raw information for the new security policy check Signed-off-by: Scott Hissam <shissam@gmail.com> * Resolved merge conflicts and lint errors with json_raw_results.go Signed-off-by: Scott Hissam <shissam@gmail.com> * Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files. Signed-off-by: Scott Hissam <shissam@gmail.com> * Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo Signed-off-by: Scott Hissam <shissam@gmail.com> * added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code Signed-off-by: Scott Hissam <shissam@gmail.com> * Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment Signed-off-by: Scott Hissam <shissam@gmail.com> * restored reporting full security policy path and filename for policies found in the org level repos Signed-off-by: Scott Hissam <shissam@gmail.com> * Resolved conflicts in checks.yaml for documentation Signed-off-by: Scott Hissam <shissam@gmail.com> * ✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <raghavkaul@google.com> * License, remove golangci.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests for root command Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy, makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Fix GH actions run Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Scott Hissam <shissam@gmail.com> * removed whitespace before stanza for Run attestor e2e Signed-off-by: Scott Hissam <shissam@gmail.com> * resolved code review and doc review comments Signed-off-by: Scott Hissam <shissam@gmail.com> * repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines Signed-off-by: Scott Hissam <shissam@gmail.com> Signed-off-by: Scott Hissam <shissam@gmail.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f...c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * enable more performant isText (#2433) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * removed getcommitdepth function Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * added TODO Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * 🌱 Code Review: treat merging a PR as code review (#2413) * Merges on Github count as a code review by the maintainer Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update Raw Results * More detailed information for Changesets * If there's no Revision ID, use the Commit SHA instead Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Check that pull request had atleast one reviewer that wasn't its author * Add field for Pull Request Merged-By to Github and Gitlab * Note, this check can be bypassed if an author opens a PR with other people's commits Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Trivial: Fix typo (exepted -> expected) (#2440) Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com> Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/2e205a28d0e1da00c5f53b161f4067b052c61f34...ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * 🌱 cron: support reading prefix from file for controller input files (7/n) (#2445) * add prefix marker file to config Signed-off-by: Spencer Schrock <sschrock@google.com> * Read the new config values, if they exist. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add function to fetch prefix file config value. Signed-off-by: Spencer Schrock <sschrock@google.com> * Read prefix file if prefix not set. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests to verify how List works with various prefixes Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests for getPrefix Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove panics from iterator helper functions Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Detect SECURITY.markdown in addition to SECURITY.md (#2447) GitHub probably supports many more file extensions for Markdown files, but at the very least, `.md` and `.markdown` have been standardized in RFC 7763. Signed-off-by: favonia <favonia@gmail.com> Signed-off-by: favonia <favonia@gmail.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446) * Expose the stackdriver prefix as a config variable so it can be changed. Signed-off-by: Caleb Brown <calebbrown@google.com> * fix linter warning Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: Caleb Brown <calebbrown@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Only write to the rawBucket if the value exists. (#2451) Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448) * :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * bump attestor modules Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Move cron monitoring to a non-internal location. (#2453) This allows external workers (e.g. criticality_score) to use the same monitoring code. Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/0efb1d1d84fc9633afcdaad14c485cbbc90ef46c...30d582111533d59ab793fd9f971817241654f3ec) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454) * Generalize the transfer logic so it is easy to build new transfer agents This change moves code that reads shards and produces summaries into the data package so that it can be reused to create new transfer agents, similar to the BigQuery transfer agent in cron/internal/bq. Signed-off-by: Caleb Brown <calebbrown@google.com> * Lint fix and commentary. Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/google/addlicense in /tools (#2459) Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/google/addlicense/releases) - [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml) - [Commits](https://github.com/google/addlicense/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: github.com/google/addlicense dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * :seedling: Bump github.com/google/go-containerregistry Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * go mod tidy Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * Added <= instead of == incase negative int is passed Signed-off-by: latortuga71 <christopheralonso1@gmail.com> * missed test fix Signed-off-by: latortuga71 <christopheralonso1@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: latortuga71 <christopheralonso1@gmail.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Scott Hissam <shissam@gmail.com> Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com> Signed-off-by: favonia <favonia@gmail.com> Signed-off-by: Caleb Brown <calebbrown@google.com> Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Co-authored-by: Spencer Schrock <sschrock@google.com> Co-authored-by: scott hissam <shissam@users.noreply.github.com> Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com> Co-authored-by: favonia <favonia@gmail.com> Co-authored-by: Caleb Brown <calebbrown@google.com>
2022-11-22 19:11:36 +03:00
build-attestor-docker: ## Build scorecard-attestor Docker image
build-attestor-docker:
DOCKER_BUILDKIT=1 docker build . --file attestor/Dockerfile \
--tag scorecard-attestor:latest \
📖 Fix spelling (#3804) * spelling: accurate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: administrator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: analyze Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: andtwenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ascii Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: association Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: at least Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: attestor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: barbaric Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bucket Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: by Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: can Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-insensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-sensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: checking Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: command-line Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: commit Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: conclusion Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: corresponding Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: created Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dataset Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: default Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: defines Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependency Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: depending Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: desired Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: different Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: disclose Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: download Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: each Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enforce Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: every time Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: exist Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: existing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: fields Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: files Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: for Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: force-push Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ignoreed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implementation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implements Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: increase Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: indicates Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: instructions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: invalid Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: marshal Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: match Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: name Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: organization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: package Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: provenance Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: query Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: readers Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: registered Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: remediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: representation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requests Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requires Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: return Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: scorecard Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: separator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: serialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: sign up Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: successfully Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: their Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: twenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unexpected Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unused Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unverified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: validate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vendor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulnerabilities Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulns Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: will Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflow Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflows Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2024-01-27 02:08:26 +03:00
--tag scorecard-attestor:$(GIT_HASH)
TOKEN_SERVER_DEPS = $(shell find clients/githubrepo/roundtripper/tokens/ -iname "*.go")
build-github-server: ## Build GitHub token server
build-github-server: clients/githubrepo/roundtripper/tokens/server/github-auth-server
clients/githubrepo/roundtripper/tokens/server/github-auth-server: $(TOKEN_SERVER_DEPS)
# Run go build on the GitHub auth server
cd clients/githubrepo/roundtripper/tokens/server && \
CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o github-auth-server
cron-github-server-docker: ## Build GitHub token server Docker image
cron-github-server-docker: clients/githubrepo/roundtripper/tokens/server/github-auth-server.docker
clients/githubrepo/roundtripper/tokens/server/github-auth-server.docker: \
clients/githubrepo/roundtripper/tokens/server/Dockerfile $(TOKEN_SERVER_DEPS)
DOCKER_BUILDKIT=1 docker build . \
--file clients/githubrepo/roundtripper/tokens/server/Dockerfile \
--tag ${IMAGE_NAME}-github-server && \
touch clients/githubrepo/roundtripper/tokens/server/github-auth-server.docker
CRON_WEBHOOK_DEPS = $(shell find cron/internal/webhook/ cron/data/ -iname "*.go")
build-webhook: ## Build cron webhook server
build-webhook: cron/internal/webhook/webhook
cron/internal/webhook/webhook: $(CRON_WEBHOOK_DEPS)
# Run go build on the cron webhook
cd cron/internal/webhook && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o webhook
cron-webhook-docker: ## Build cron webhook server Docker image
cron-webhook-docker: cron/internal/webhook/webhook.docker
cron/internal/webhook/webhook.docker: cron/internal/webhook/Dockerfile $(CRON_WEBHOOK_DEPS)
DOCKER_BUILDKIT=1 docker build . --file cron/internal/webhook/Dockerfile \
--tag ${IMAGE_NAME}-webhook && \
touch cron/internal/webhook/webhook.docker
build-add-script: ## Runs go build on the add script
build-add-script: cron/internal/data/add/add
cron/internal/data/add/add: cron/internal/data/add/*.go cron/data/*.go cron/internal/data/projects.csv
# Run go build on the add script
cd cron/internal/data/add && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o add
build-validate-script: ## Runs go build on the validate script
build-validate-script: cron/internal/data/validate/validate
cron/internal/data/validate/validate: cron/internal/data/validate/*.go cron/data/*.go cron/internal/data/projects.csv
# Run go build on the validate script
cd cron/internal/data/validate && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o validate
docker-targets = scorecard-docker cron-controller-docker cron-worker-docker cron-cii-worker-docker cron-bq-transfer-docker cron-webhook-docker cron-github-server-docker
.PHONY: dockerbuild $(docker-targets)
dockerbuild: $(docker-targets)
cron-worker-docker:
DOCKER_BUILDKIT=1 docker build . --file cron/internal/worker/Dockerfile --tag $(IMAGE_NAME)-batch-worker
###############################################################################
##@ Tests
################################# make test ###################################
test-targets = unit-test e2e-pat e2e-gh-token ci-e2e
.PHONY: test $(test-targets)
test: $(test-targets)
unit-test: ## Runs unit test without e2e
# Run unit tests, ignoring e2e tests
# run the go tests and gen the file coverage-all used to do the integration with codecov
SKIP_GINKGO=1 go test -race -covermode=atomic -coverprofile=unit-coverage.out -coverpkg=./... `go list ./...`
unit-test-attestor: ## Runs unit tests on scorecard-attestor
cd attestor; SKIP_GINKGO=1 go test -covermode=atomic -coverprofile=unit-coverage.out `go list ./...`; cd ..;
check-env:
ifndef GITHUB_AUTH_TOKEN
$(error GITHUB_AUTH_TOKEN is undefined)
endif
check-env-gitlab:
ifndef GITLAB_AUTH_TOKEN
$(error GITLAB_AUTH_TOKEN is undefined)
endif
2022-04-12 03:35:44 +03:00
e2e-pat: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to GitHub personal access token
e2e-pat: build-scorecard check-env | $(GINKGO)
# Run e2e tests. GITHUB_AUTH_TOKEN with personal access token must be exported to run this
TOKEN_TYPE="PAT" $(GINKGO) --race -p -v -coverprofile=e2e-coverage.out -coverpkg=./... -r ./...
2022-04-12 03:35:44 +03:00
e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to default GITHUB_TOKEN
e2e-gh-token: build-scorecard check-env | $(GINKGO)
# Run e2e tests. GITHUB_AUTH_TOKEN set to secrets.GITHUB_TOKEN must be used to run this.
GITLAB_AUTH_TOKEN="" TOKEN_TYPE="GITHUB_TOKEN" $(GINKGO) --race -p -v -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <raghavkaul@google.com> * License, remove golangci.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests for root command Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy, makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Fix GH actions run Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-01 21:30:17 +03:00
✨ Gitlab support: RepoClient (#2655) * Add make targets and E2E test target for GitLab only Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add GitLab support to RepoClient Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Build * Make target for e2e-gitlab-token * Only run Gitlab tests in CI that don't require a token Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * 🐛 Check OSS Fuzz build file for Fuzzing check (#2719) * Check OSS-Fuzz using project list Signed-off-by: Spencer Schrock <sschrock@google.com> * Use clients.RepoClient interface to perform the new OSS Fuzz check Signed-off-by: Spencer Schrock <sschrock@google.com> * wip: add eager client for better repeated lookup of projects Signed-off-by: Spencer Schrock <sschrock@google.com> * Split lazy and eager behavior into different implementations. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests and benchmarks Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add eager constructor to surface status file errors sooner. Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch existing users to new OSS Fuzz client Signed-off-by: Spencer Schrock <sschrock@google.com> * Mark old method as deprecated in the godoc Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * Use new OSS Fuzz client in e2e test. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix typo. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix potential path bug with test server. Signed-off-by: Spencer Schrock <sschrock@google.com> * Force include the two JSON files which were being ignored by .gitignore Signed-off-by: Spencer Schrock <sschrock@google.com> * trim the status json file Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com>
2023-03-13 18:13:50 +03:00
e2e-gitlab-token: ## Runs e2e tests that require a GITLAB_TOKEN
e2e-gitlab-token: build-scorecard check-env-gitlab | $(GINKGO)
TEST_GITLAB_EXTERNAL=1 TOKEN_TYPE="GITLAB_PAT" $(GINKGO) --race -p -vv -coverprofile=e2e-coverage.out --keep-separate-coverprofiles --focus '.*GitLab' ./...
✨ Gitlab support: RepoClient (#2655) * Add make targets and E2E test target for GitLab only Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add GitLab support to RepoClient Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Build * Make target for e2e-gitlab-token * Only run Gitlab tests in CI that don't require a token Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * 🐛 Check OSS Fuzz build file for Fuzzing check (#2719) * Check OSS-Fuzz using project list Signed-off-by: Spencer Schrock <sschrock@google.com> * Use clients.RepoClient interface to perform the new OSS Fuzz check Signed-off-by: Spencer Schrock <sschrock@google.com> * wip: add eager client for better repeated lookup of projects Signed-off-by: Spencer Schrock <sschrock@google.com> * Split lazy and eager behavior into different implementations. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests and benchmarks Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add eager constructor to surface status file errors sooner. Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch existing users to new OSS Fuzz client Signed-off-by: Spencer Schrock <sschrock@google.com> * Mark old method as deprecated in the godoc Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * Use new OSS Fuzz client in e2e test. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix typo. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix potential path bug with test server. Signed-off-by: Spencer Schrock <sschrock@google.com> * Force include the two JSON files which were being ignored by .gitignore Signed-off-by: Spencer Schrock <sschrock@google.com> * trim the status json file Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com>
2023-03-13 18:13:50 +03:00
e2e-gitlab: ## Runs e2e tests for GitLab only. TOKEN_TYPE is not used (since these are public APIs), but must be set to something
e2e-gitlab: build-scorecard | $(GINKGO)
TEST_GITLAB_EXTERNAL=1 TOKEN_TYPE="PAT" $(GINKGO) --race -p -vv -coverprofile=e2e-coverage.out --keep-separate-coverprofiles --focus ".*GitLab" ./...
✨ Gitlab support: RepoClient (#2655) * Add make targets and E2E test target for GitLab only Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add GitLab support to RepoClient Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Build * Make target for e2e-gitlab-token * Only run Gitlab tests in CI that don't require a token Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * 🐛 Check OSS Fuzz build file for Fuzzing check (#2719) * Check OSS-Fuzz using project list Signed-off-by: Spencer Schrock <sschrock@google.com> * Use clients.RepoClient interface to perform the new OSS Fuzz check Signed-off-by: Spencer Schrock <sschrock@google.com> * wip: add eager client for better repeated lookup of projects Signed-off-by: Spencer Schrock <sschrock@google.com> * Split lazy and eager behavior into different implementations. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests and benchmarks Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add eager constructor to surface status file errors sooner. Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch existing users to new OSS Fuzz client Signed-off-by: Spencer Schrock <sschrock@google.com> * Mark old method as deprecated in the godoc Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * Use new OSS Fuzz client in e2e test. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix typo. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix potential path bug with test server. Signed-off-by: Spencer Schrock <sschrock@google.com> * Force include the two JSON files which were being ignored by .gitignore Signed-off-by: Spencer Schrock <sschrock@google.com> * trim the status json file Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com>
2023-03-13 18:13:50 +03:00
✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <raghavkaul@google.com> * License, remove golangci.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests for root command Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy, makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Fix GH actions run Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-01 21:30:17 +03:00
e2e-attestor: ## Runs e2e tests for scorecard-attestor
cd attestor/e2e; go test -covermode=atomic -coverprofile=e2e-coverage.out; cd ../..
###############################################################################
##@ TODO(#744)
################################## make ko-images #############################
ko-targets = scorecard-ko cron-controller-ko cron-worker-ko cron-cii-worker-ko cron-bq-transfer-ko cron-webhook-ko cron-github-server-ko
.PHONY: ko-images $(ko-targets)
ko-images: $(ko-targets)
KOCACHE_PATH=/tmp/ko
$(KOCACHE_PATH):
mkdir -p $(KOCACHE_PATH)
scorecard-ko: | $(KO) $(KOCACHE_PATH)
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
KO_DOCKER_REPO=${KO_PREFIX}/${IMAGE_NAME}
LDFLAGS="$(LDFLAGS)" \
KO_CACHE=$(KOCACHE_PATH) \
$(KO) build -B \
--sbom=none \
--platform=$(PLATFORM) \
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
github.com/ossf/scorecard/v5
cron-controller-ko: | $(KO) $(KOCACHE_PATH)
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-batch-controller \
LDFLAGS="$(LDFLAGS)" \
KOCACHE=$(KOCACHE_PATH) \
$(KO) build -B \
--push=false \
--sbom=none \
--platform=$(PLATFORM) \
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
github.com/ossf/scorecard/v5/cron/internal/controller
cron-worker-ko: | $(KO) $(KOCACHE_PATH)
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-batch-worker \
LDFLAGS="$(LDFLAGS)" \
KOCACHE=$(KOCACHE_PATH) \
$(KO) build -B \
--push=false \
--sbom=none \
--platform=$(PLATFORM) \
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
github.com/ossf/scorecard/v5/cron/internal/worker
cron-cii-worker-ko: | $(KO) $(KOCACHE_PATH)
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-cii-worker \
LDFLAGS="$(LDFLAGS)" \
KOCACHE=$(KOCACHE_PATH) \
$(KO) build -B \
--push=false \
--sbom=none \
--platform=$(PLATFORM)\
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
github.com/ossf/scorecard/v5/cron/internal/cii
cron-bq-transfer-ko: | $(KO) $(KOCACHE_PATH)
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-bq-transfer \
LDFLAGS="$(LDFLAGS)" \
KOCACHE=$(KOCACHE_PATH) \
$(KO) build -B \
--push=false \
--sbom=none \
--platform=$(PLATFORM) \
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
github.com/ossf/scorecard/v5/cron/internal/bq
cron-webhook-ko: | $(KO) $(KOCACHE_PATH)
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-cron-webhook \
LDFLAGS="$(LDFLAGS)" \
KOCACHE=$(KOCACHE_PATH) \
$(KO) build -B \
--push=false \
--sbom=none \
--platform=$(PLATFORM) \
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
github.com/ossf/scorecard/v5/cron/internal/webhook
cron-github-server-ko: | $(KO) $(KOCACHE_PATH)
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-github-server \
LDFLAGS="$(LDFLAGS)" \
KOCACHE=$(KOCACHE_PATH) \
$(KO) build -B \
--push=false \
--sbom=none \
--platform=$(PLATFORM) \
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
github.com/ossf/scorecard/v5/clients/githubrepo/roundtripper/tokens/server
###############################################################################