ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-11 00:45:36 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
1,382 Commits 34 Branches 42 Tags 435 MiB
3b7c46f779
Commit Graph

1382 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
laurentsimon
eedd16d5be linter 2022-04-12 10:54:38 -05:00
laurentsimon
6a48f174ce fix 2022-04-12 10:54:38 -05:00
laurentsimon
4b2c677185 fix 2022-04-12 10:54:38 -05:00
laurentsimon
2873c0d58d e2e for GITHUB_TOKEN 2022-04-12 10:54:38 -05:00
dependabot[bot]
a46313ca8a 🌱 Bump cloud.google.com/go/pubsub from 1.19.0 to 1.20.0 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.19.0 to 1.20.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.19.0...pubsub/v1.20.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-12 08:50:47 -05:00
dependabot[bot]
fb0c0e1527 🌱 Bump actions/cache from 3.0.1 to 3.0.2 
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](136d96b4ae...48af2dc4a9)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-11 07:36:08 -05:00
naveensrinivasan
f9c2f9d79f 🌱 Dependency review action 
Included the https://github.com/actions/dependency-review-action

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-09 14:09:42 -05:00
Azeem Shaikh
333618d0d2
Security-Policy should not run on --local (#1825) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-04-07 14:12:22 -05:00
dependabot[bot]
4df16f3350 🌱 Bump codecov/codecov-action from 2.1.0 to 3 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 2.1.0 to 3.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](f32b3a3741...e3c560433a)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-07 14:55:05 +00:00
dependabot[bot]
b6575a2731 🌱 Bump github.com/rhysd/actionlint from 1.6.10 to 1.6.11 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.10 to 1.6.11.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.10...v1.6.11)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-07 14:38:43 +00:00
dependabot[bot]
8bc0fe5e83 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver 
Bumps [contrib.go.opencensus.io/exporter/stackdriver](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver) from 0.13.10 to 0.13.11.
- [Release notes](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/releases)
- [Commits](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/compare/v0.13.10...v0.13.11)

---
updated-dependencies:
- dependency-name: contrib.go.opencensus.io/exporter/stackdriver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-07 13:45:47 +00:00
Azeem Shaikh
a1e908b6f0
Support Security-Policy with --local (#1822) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-04-06 18:39:19 -07:00
noamd
5860896619 detect workflow_run as a dangerous trigger 2022-04-06 07:22:54 -05:00
dependabot[bot]
606f28ad25 🌱 Bump sigs.k8s.io/release-utils from 0.5.0 to 0.6.0 
Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-05 21:36:00 +00:00
naveensrinivasan
81133363f0 🌱 e2e for pinned_dependencies for localrepoclient 
- e2e for pinned_dependencies for localrepoclient

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-05 16:15:17 -05:00
naveensrinivasan
b6b5592629 🌱 e2e for dangerous_workflow local repo 
- e2e for dangerous_workflow for localrepoclient.
 2022-04-05 15:21:52 -05:00
naveensrinivasan
761bb4e4b3 🌱 Fixes the golang version 
Hopefully this fixes the make linter failures

https://github.com/ossf/scorecard/runs/5834278035?check_suite_focus=true

I noticed while trying to debug , which was using go 1.18 in the
workflow log.

Which made me decide to pin it to specific version of go 1.17.7
```
go env -w GOFLAGS=-mod=mod
  make check-linter
  shell: /usr/bin/bash -e {0}
  env:
    PROTOC_VERSION: 3.17.3
    GOROOT: /opt/hostedtoolcache/go/1.18.0/x64
```

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-05 14:45:31 -05:00
dependabot[bot]
b42a175784 🌱 Bump gocloud.dev from 0.24.0 to 0.25.0 
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.24.0 to 0.25.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](https://github.com/google/go-cloud/compare/v0.24.0...v0.25.0)

---
updated-dependencies:
- dependency-name: gocloud.dev
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-04 09:51:38 -05:00
naveensrinivasan
648b6634e6 🌱 Experimental option for codeql 
- Included the experimental option for Codeql
https://github.blog/2022-02-17-code-scanning-finds-vulnerabilities-using-machine-learning/
 2022-04-01 19:15:44 -05:00
laurentsimon
27dbf9c7e5
Raw results for Signed-Release check (#1789) 
* Raw results for Signed-Releases

* updates

* linter
 2022-04-01 23:13:58 +00:00
naveensrinivasan
e8c633a41b 🌱 e2e tests for security policy localrepo 
- Included e2e tests for security policy for localrepo client

https://github.com/ossf/scorecard/issues/1353

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-31 16:20:16 -05:00
naveensrinivasan
e5f5deb64e 🌱 e2e tests for local repoclient for permissions 
- Included e2e tests for local repoclient for permissions.

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-31 14:52:16 -05:00
naveensrinivasan
ab9769a4da 🌱 Fix protoc build failures 
- Fix protoc build failures by retries

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-31 14:33:45 -05:00
dependabot[bot]
99ecdea2dd 🌱 Bump actions/cache from 3.0.0 to 3.0.1 
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](4b0cf6cc46...136d96b4ae)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-31 17:37:21 +00:00
Carlos Tadeu Panato Junior
7dcb3cb3e2
checks: add GitHub Webhook check (#1675) 
* checks: add GitHub Webhook check

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* update per feedback

Signed-off-by: cpanato <ctadeu@gmail.com>

* add evaluation code

Signed-off-by: cpanato <ctadeu@gmail.com>

* add feature gate check

Signed-off-by: cpanato <ctadeu@gmail.com>

* fix lint

Signed-off-by: cpanato <ctadeu@gmail.com>
 2022-03-31 07:29:59 -07:00
cpanato
93889a8e70 install missing tool in add-projects job 
Signed-off-by: cpanato <ctadeu@gmail.com>
 2022-03-31 08:00:22 -05:00
cpanato
f1268bfaee cleanup protoc version 
Signed-off-by: cpanato <ctadeu@gmail.com>
 2022-03-31 08:00:22 -05:00
dependabot[bot]
d10ac0dbb0 🌱 Bump cloud.google.com/go/bigquery from 1.30.1 to 1.30.2 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.30.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.30.1...bigquery/v1.30.2)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-31 05:02:41 -05:00
Carlos Tadeu Panato Junior
92027ed41b
small cleanup on the workflow jobs and remove the master branch reference (#1800) 
Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2022-03-30 16:11:30 +00:00
dependabot[bot]
389078c5d8 🌱 Bump cloud.google.com/go/bigquery from 1.30.0 to 1.30.1 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.30.0 to 1.30.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.30.0...spanner/v1.30.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-30 08:35:38 -05:00
dependabot[bot]
49564838f9 🌱 Bump github.com/onsi/gomega from 1.18.1 to 1.19.0 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.18.1 to 1.19.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.18.1...v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-29 22:15:55 +00:00
dependabot[bot]
c428e3181e 🌱 Bump distroless/base in /cron/worker 
Bumps distroless/base from `792dfe7` to `764b74b`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-29 21:28:57 +00:00
Azeem Shaikh
6a078c68c2
Use GITHUB_TOKEN for downloading protoc (#1797) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-29 13:55:45 -07:00
dependabot[bot]
ce06ac1a7e
🌱 Bump distroless/base in /cron/webhook (#1794) 
Bumps distroless/base from `792dfe7` to `764b74b`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-03-29 19:51:22 +00:00
naveensrinivasan
0644b18898 🌱 e2e for local repoclient license check 
- e2e for local repoclient for license check.

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-29 14:38:24 -05:00
naveensrinivasan
cacc3e486d 🌱 e2e tests binary artifacts localrepo 
- e2e tests for binary artifacts check for localrepo

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-29 14:03:12 -05:00
laurentsimon
037a3f3516
Raw result for Maintained check (#1780) 
* draft

* draft

* raw results for Maintained check

* updates

* updates

* missing files

* updates

* unit tests

* e2e tests

* tests

* linter

* updates
 2022-03-29 16:35:42 +00:00
Guillaume Ross
682e6ea176 Explicit permissions for github actions 
To improve OSSF Scorecard score on Scorecard repo
 2022-03-29 10:29:08 -05:00
dependabot[bot]
007156b1d3 🌱 Bump distroless/base in /cron/controller 
Bumps distroless/base from `792dfe7` to `764b74b`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-29 09:59:08 -05:00
dependabot[bot]
10d46d5be0 🌱 Bump distroless/base from 792dfe7 to 764b74b 
Bumps distroless/base from `792dfe7` to `764b74b`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-28 19:11:47 +00:00
dependabot[bot]
d2e88f2ab6 🌱 Bump github.com/golangci/golangci-lint in /tools 
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.45.0 to 1.45.2.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.45.0...v1.45.2)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-25 10:20:43 -05:00
laurentsimon
363d1bd858
Add comment to update action policy file (#1751) 
Add comment to update action policy file if the passing score value is updated
no breaking changes
```release-notes
Add comment to update action policy file if the passing score value is updated
```
 2022-03-25 00:42:14 +00:00
laurentsimon
8150ab0f88
Make Vuln ID field lower case in raw results (#1761) 
* case sensitive ID

* updates
 2022-03-25 00:24:23 +00:00
laurentsimon
2bbbce75b3
🐛 Discard GitHub token in dangerous workflow check (#1772) 
* Discard GitHub token in dangerous workflow check

* missing files
 2022-03-23 23:37:23 +00:00
dependabot[bot]
66b3d8ce5c
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757) 
* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.44.2 to 1.45.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* golangci-lint: Surface and fix as many lint warnings automatically

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* generated: Run golangci-lint with `fix: true`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
 2022-03-23 02:23:39 +00:00
dependabot[bot]
10bd777ddf 🌱 Bump peter-evans/find-comment from 1.3.0 to 2 
Bumps [peter-evans/find-comment](https://github.com/peter-evans/find-comment) from 1.3.0 to 2.
- [Release notes](https://github.com/peter-evans/find-comment/releases)
- [Commits](d2dae40ed1...1769778a0c)

---
updated-dependencies:
- dependency-name: peter-evans/find-comment
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-23 01:08:04 +00:00
dependabot[bot]
0a82d2b425 🌱 Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-23 00:49:24 +00:00
dependabot[bot]
aecff0bc1b 🌱 Bump peter-evans/create-or-update-comment from 1.4.5 to 2 
Bumps [peter-evans/create-or-update-comment](https://github.com/peter-evans/create-or-update-comment) from 1.4.5 to 2.
- [Release notes](https://github.com/peter-evans/create-or-update-comment/releases)
- [Commits](a35cf36e53...c9fcb64660)

---
updated-dependencies:
- dependency-name: peter-evans/create-or-update-comment
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-22 23:36:02 +00:00
dependabot[bot]
c671bac37d 🌱 Bump peter-evans/slash-command-dispatch from 2.3.0 to 3 
Bumps [peter-evans/slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch) from 2.3.0 to 3.
- [Release notes](https://github.com/peter-evans/slash-command-dispatch/releases)
- [Commits](40877f718d...2afb49dbaa)

---
updated-dependencies:
- dependency-name: peter-evans/slash-command-dispatch
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-22 22:59:08 +00:00
dependabot[bot]
28635662b8 🌱 Bump actions/upload-artifact from 2.3.1 to 3 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.3.1 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](82c141cc51...6673cd052c)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-22 22:11:20 +00:00