ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-04 03:52:31 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
1,194 Commits 36 Branches 42 Tags 438 MiB
3070b3ca1b
Commit Graph

1194 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stephen Augustus (he/him)
3070b3ca1b
cmd: Allow new scorecard to be instantiated with options (#1703) 
* cmd: Allow new scorecard commands to be instantiated with options
* options: Default flags to struct field values
* options: Use constants for flag names
* options: Simplify SARIF check

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-03-03 01:38:34 +00:00
laurentsimon
d192c8e3ac
Add score to SARIF for all results (#1694) 
* add score

* fix unit tests
 2022-03-02 17:06:47 -08:00
laurentsimon
3818dbe839
Update CODEOWNERS (#1701) 
@inferno-chromium asked to be removed because he's not actively reviewing PRs anymore and his inbox is being bombarded :-)

cc @inferno-chromium
 2022-03-02 16:21:38 +00:00
dependabot[bot]
189cdc5b9b 🌱 Bump actions/stale from 4.1.0 to 5 
Bumps [actions/stale](https://github.com/actions/stale) from 4.1.0 to 5.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](7fb802b307...3cc1237663)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 09:03:04 -06:00
dependabot[bot]
23819152f8 🌱 Bump crazy-max/ghaction-import-gpg from 4.1.0 to 4.2.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](cb4264d331...b7c9a01276)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 08:10:27 -06:00
dependabot[bot]
13b9cc5212 🌱 Bump actions/checkout from 2.4.0 to 3 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ec3a7ce113...a12a3943b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 07:29:16 -06:00
Stephen Augustus (he/him)
84cdc8cbec
cmd: Refactor to make importable (#1696) 
* cmd: Refactor to make importable
* options: Add support for parsing via environment variables
* options: Support setting feature flags via option
* cmd: Replace `version` with sigs.k8s.io/release-utils/version
* cmd: Move option validation into pre-run function

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-03-01 21:18:44 -08:00
Azeem Shaikh
738b246fe9
Fix cmd panic (#1692) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-01 20:17:24 +00:00
dependabot[bot]
837729418a 🌱 Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.0 to 2.9.1.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](c127c9be61...b953231f81)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-01 06:42:36 -06:00
dependabot[bot]
dd9ae7df99 🌱 Bump actions/setup-go from 2.2.0 to 3 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.2.0 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](bfdd3570ce...f6164bd8c8)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-01 06:33:03 -06:00
naveensrinivasan
5e5abdcd09 🌱 Unit tests for github workflow 
- Unit tests for github workflow.
https://github.com/ossf/scorecard/issues/986
 2022-02-28 20:02:50 -06:00
Naveen
ddb0fe3f31
Changed jsonScorecardResultV2 type Public (#1682) 
*  Changed jsonScorecardResultV2 type Public

- Fixes https://github.com/ossf/scorecard/issues/1673

* Update pkg/json.go

Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>

* Fixed the govet warning by including nolint

Fixed the govet linter warning by including  nolint.

Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>
 2022-02-28 15:20:07 -05:00
dependabot[bot]
4635570f7c 🌱 Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.8.1 to 2.9.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](79d4afbba1...c127c9be61)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-28 06:37:46 -06:00
Stephen Augustus (he/him)
d71866ca16 Update badges to correct package version and reference URLs 2022-02-27 09:29:49 -06:00
naveensrinivasan
c664364ccf 📖 Included reference to the GoDoc 2022-02-27 09:29:49 -06:00
Stephen Augustus (he/him)
7956ff4fe7
Miscellaneous refactors to ease downstream consumption (#1645) 
* checker: Add `NewLogger` constructor for `DetailLogger` impl
* checker: Add `NewRunner` constructor for `Runner`
* cmd: Update to use refactored packages
* cmd: Move command flags and validation into an `options` package
* cmd: Move client accessors to `githubrepo` package
* cmd: Move policy and enabled checks to `policy` package
* cmd: Move results formatting to `format` package
* checker: Prefer `Set` prefixes for setters
* checker: Use `DetailLogger` return value for `NewLogger()`
* checker: Add `GetClients` accessor
* Move `FormatResults` to `pkg/`
* checks: Add getter for all checks

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-02-27 02:09:21 +00:00
Chris McGehee
76105194da
📖 Adding missing documentation for Token-Permissions (#1656) 
* Adding missing documentation for Token-Permissions

* Make documentation for `actions` more accurate

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2022-02-25 22:47:11 +00:00
dependabot[bot]
4c82c29552 🌱 Bump github.com/rhysd/actionlint from 1.6.8 to 1.6.9 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.8 to 1.6.9.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.8...v1.6.9)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-25 08:25:57 -06:00
Stephen Augustus (he/him)
692c682f22
Refine copy for PR template and add a release-note code fence (#1678) 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-02-24 22:37:34 -05:00
Azeem Shaikh
504f134416
Update scorecard-analysis.yml (#1674) 2022-02-23 21:08:46 -08:00
Naveen
faeae4121e
🌱 Fixes the vulnerability GHSA-qq97-vm5h-rrhg (#1672) 
- Fixed the vulnerability GHSA-qq97-vm5h-rrhg by using replace
  directives.
 2022-02-23 07:41:05 -08:00
naveensrinivasan
5a1ab20fae 🌱 Fix containerd vulns 
- Fixes the containerd vulnerability by replacing 1.58 to 1.59 which
  addresses the fix and dependabot will stop complaining about the
  issue.
 2022-02-22 21:57:46 -06:00
Naveen
d94a87d974
🌱 Fix containerd Vulnerability (#1560) 
Fixes the containerd vulns.

https://github.com/ossf/scorecard/issues/1537
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
 2022-02-23 00:41:56 +00:00
Chris McGehee
808941a4c2
Token-Permissions, Allow contents: write permission only for jobs that are releasing (#1663) 
* Token-Permissions, distinguish contents/package

Allowing `contents: write` permission only for jobs that are releasing
jobs, not just packaging jobs.
 2022-02-23 00:23:07 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions (#1670) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 17:40:34 -06:00
naveensrinivasan
5656c3ed45 🌱 Ignore cron folder from codecov 
- Ignoring the cron folder from codecov
 2022-02-22 13:33:18 -06:00
Azeem Shaikh
f616278a8b
Generalize CheckIfFileExists fn (#1668) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 18:50:01 +00:00
Azeem Shaikh
c03085ad9b
Remove duplicated function definitions (#1666) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 07:38:56 -08:00
dependabot[bot]
e5b62b524e
🌱 Bump mvdan.cc/sh/v3 from 3.4.2 to 3.4.3 (#1665) 
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.4.2 to 3.4.3.
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mvdan/sh/compare/v3.4.2...v3.4.3)

---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-02-21 04:24:58 -05:00
naveen
5dbc04a0c6 🌱 Avoid duplicate builds 
Avoiding duplicate builds on main
https://github.community/t/how-to-trigger-an-action-on-push-or-pull-request-but-not-both/16662/2
 2022-02-21 00:56:51 -06:00
Romain Dauby
33f80c93dc Fix golangci-lint issues 2022-02-19 15:56:34 -06:00
Batuhan Apaydın
53bae3ee1a feat: upgrade to ko v0.10.0 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
 2022-02-19 05:24:27 -06:00
dependabot[bot]
1306b34853 🌱 Bump ossf/scorecard-action from 1.0.3 to 1.0.4 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](b614d455ee...c1aec4ac82)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-18 07:38:26 -06:00
behnazh-w
33a01f7647 🐛 Add custom packaging workflow for Python 
Packaging workflows are allowed to have `contents: write` permission.
By adding relekang/python-semantic-release to the list of
packaging GitHub Actions workflows, we avoid false positivies in
the token permission check.
 2022-02-17 17:16:34 -06:00
naveen
bba55d4257 🌱 Parallelize builds 
- parallelize builds
 2022-02-17 15:23:21 -06:00
naveen
1aff6db9f6 🌱 Ignore docker builds 
- ignore docker builds for non-main branches
- ignore docker builds for *.md
 2022-02-16 17:52:55 -06:00
Azeem Shaikh
674146ca3c
Make verbosity levels case insensitive (#1650) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-16 19:33:04 +00:00
naveen
db1d568499 🌱 Remove building ko to speed up builds 
- Remove building ko as we aren't using `ko` yet.
- Every build of `ko` slows down the build time.
- When we enable `ko` which will replace `docker` then we can enable `ko` builds
 2022-02-16 10:49:27 -06:00
dependabot[bot]
e6f6c56d34 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.0.0 to 2.1.3.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.0.0...v2.1.3)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-16 08:36:38 -06:00
dependabot[bot]
4ebd8aff9c 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3 in /tools 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.0.0 to 2.1.3.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.0.0...v2.1.3)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-16 07:13:41 -06:00
Jeff Mendoza
ba503c3bee
githubrepo: Allow providing an already authenticated transport (#1644) 2022-02-15 19:13:45 -05:00
Azeem Shaikh
cda7a1b1d4
Add tests for graphQL costs (#1643) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 23:38:23 +00:00
Azeem Shaikh
de5224bbc5
Update e2e tests (#1641) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 19:27:45 +00:00
Azeem Shaikh
2b206dc365
Remove Version field from LogMessage (#1640) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 18:26:06 +00:00
naveen
35511342c8 🌱 Parallelize the builds 
- Created a workflow with multiple jobs for each of the docker builds
- Created a workflow with multiple jobs for each of the ko builds
- Removed the reference to dockerbuild and kobuild in the build-targets
  make target
- This should reduce the time required to finish the CI builds as it
  makes it parallel.
 2022-02-15 11:51:54 -06:00
laurentsimon
e7fd58d9a3
Check for secrets in pull_request_target (#1634) 
* checks/dangerous_workflow.go: add pull_request_target support for secrets

* missing files

* linter
 2022-02-15 16:04:57 +00:00
dependabot[bot]
e3637c9e17 🌱 Bump cloud.google.com/go/bigquery from 1.27.0 to 1.28.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.27.0 to 1.28.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.27.0...spanner/v1.28.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-15 06:21:45 -06:00
Azeem Shaikh
1e488a804f
Fix for repos which do not squash PR commits (#1637) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-14 23:33:15 +00:00
Azeem Shaikh
f3332ce129
Add validation for commit-based APIs (#1635) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-14 22:24:35 +00:00
dependabot[bot]
eb0730ae79
🌱 Bump github.com/goreleaser/goreleaser in /tools (#1632) 2022-02-14 11:35:10 +00:00