ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-11 00:45:36 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
1,382 Commits 34 Branches 42 Tags 435 MiB
3b7c46f779
Commit Graph

1382 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
4635570f7c 🌱 Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.8.1 to 2.9.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](79d4afbba1...c127c9be61)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-28 06:37:46 -06:00
Stephen Augustus (he/him)
d71866ca16 Update badges to correct package version and reference URLs 2022-02-27 09:29:49 -06:00
naveensrinivasan
c664364ccf 📖 Included reference to the GoDoc 2022-02-27 09:29:49 -06:00
Stephen Augustus (he/him)
7956ff4fe7
Miscellaneous refactors to ease downstream consumption (#1645) 
* checker: Add `NewLogger` constructor for `DetailLogger` impl
* checker: Add `NewRunner` constructor for `Runner`
* cmd: Update to use refactored packages
* cmd: Move command flags and validation into an `options` package
* cmd: Move client accessors to `githubrepo` package
* cmd: Move policy and enabled checks to `policy` package
* cmd: Move results formatting to `format` package
* checker: Prefer `Set` prefixes for setters
* checker: Use `DetailLogger` return value for `NewLogger()`
* checker: Add `GetClients` accessor
* Move `FormatResults` to `pkg/`
* checks: Add getter for all checks

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-02-27 02:09:21 +00:00
Chris McGehee
76105194da
📖 Adding missing documentation for Token-Permissions (#1656) 
* Adding missing documentation for Token-Permissions

* Make documentation for `actions` more accurate

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2022-02-25 22:47:11 +00:00
dependabot[bot]
4c82c29552 🌱 Bump github.com/rhysd/actionlint from 1.6.8 to 1.6.9 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.8 to 1.6.9.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.8...v1.6.9)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-25 08:25:57 -06:00
Stephen Augustus (he/him)
692c682f22
Refine copy for PR template and add a release-note code fence (#1678) 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-02-24 22:37:34 -05:00
Azeem Shaikh
504f134416
Update scorecard-analysis.yml (#1674) 2022-02-23 21:08:46 -08:00
Naveen
faeae4121e
🌱 Fixes the vulnerability GHSA-qq97-vm5h-rrhg (#1672) 
- Fixed the vulnerability GHSA-qq97-vm5h-rrhg by using replace
  directives.
 2022-02-23 07:41:05 -08:00
naveensrinivasan
5a1ab20fae 🌱 Fix containerd vulns 
- Fixes the containerd vulnerability by replacing 1.58 to 1.59 which
  addresses the fix and dependabot will stop complaining about the
  issue.
 2022-02-22 21:57:46 -06:00
Naveen
d94a87d974
🌱 Fix containerd Vulnerability (#1560) 
Fixes the containerd vulns.

https://github.com/ossf/scorecard/issues/1537
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
 2022-02-23 00:41:56 +00:00
Chris McGehee
808941a4c2
Token-Permissions, Allow contents: write permission only for jobs that are releasing (#1663) 
* Token-Permissions, distinguish contents/package

Allowing `contents: write` permission only for jobs that are releasing
jobs, not just packaging jobs.
 2022-02-23 00:23:07 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions (#1670) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 17:40:34 -06:00
naveensrinivasan
5656c3ed45 🌱 Ignore cron folder from codecov 
- Ignoring the cron folder from codecov
 2022-02-22 13:33:18 -06:00
Azeem Shaikh
f616278a8b
Generalize CheckIfFileExists fn (#1668) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 18:50:01 +00:00
Azeem Shaikh
c03085ad9b
Remove duplicated function definitions (#1666) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 07:38:56 -08:00
dependabot[bot]
e5b62b524e
🌱 Bump mvdan.cc/sh/v3 from 3.4.2 to 3.4.3 (#1665) 
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.4.2 to 3.4.3.
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mvdan/sh/compare/v3.4.2...v3.4.3)

---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-02-21 04:24:58 -05:00
naveen
5dbc04a0c6 🌱 Avoid duplicate builds 
Avoiding duplicate builds on main
https://github.community/t/how-to-trigger-an-action-on-push-or-pull-request-but-not-both/16662/2
 2022-02-21 00:56:51 -06:00
Romain Dauby
33f80c93dc Fix golangci-lint issues 2022-02-19 15:56:34 -06:00
Batuhan Apaydın
53bae3ee1a feat: upgrade to ko v0.10.0 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
 2022-02-19 05:24:27 -06:00
dependabot[bot]
1306b34853 🌱 Bump ossf/scorecard-action from 1.0.3 to 1.0.4 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](b614d455ee...c1aec4ac82)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-18 07:38:26 -06:00
behnazh-w
33a01f7647 🐛 Add custom packaging workflow for Python 
Packaging workflows are allowed to have `contents: write` permission.
By adding relekang/python-semantic-release to the list of
packaging GitHub Actions workflows, we avoid false positivies in
the token permission check.
 2022-02-17 17:16:34 -06:00
naveen
bba55d4257 🌱 Parallelize builds 
- parallelize builds
 2022-02-17 15:23:21 -06:00
naveen
1aff6db9f6 🌱 Ignore docker builds 
- ignore docker builds for non-main branches
- ignore docker builds for *.md
 2022-02-16 17:52:55 -06:00
Azeem Shaikh
674146ca3c
Make verbosity levels case insensitive (#1650) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-16 19:33:04 +00:00
naveen
db1d568499 🌱 Remove building ko to speed up builds 
- Remove building ko as we aren't using `ko` yet.
- Every build of `ko` slows down the build time.
- When we enable `ko` which will replace `docker` then we can enable `ko` builds
 2022-02-16 10:49:27 -06:00
dependabot[bot]
e6f6c56d34 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.0.0 to 2.1.3.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.0.0...v2.1.3)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-16 08:36:38 -06:00
dependabot[bot]
4ebd8aff9c 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3 in /tools 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.0.0 to 2.1.3.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.0.0...v2.1.3)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-16 07:13:41 -06:00
Jeff Mendoza
ba503c3bee
githubrepo: Allow providing an already authenticated transport (#1644) 2022-02-15 19:13:45 -05:00
Azeem Shaikh
cda7a1b1d4
Add tests for graphQL costs (#1643) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 23:38:23 +00:00
Azeem Shaikh
de5224bbc5
Update e2e tests (#1641) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 19:27:45 +00:00
Azeem Shaikh
2b206dc365
Remove Version field from LogMessage (#1640) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 18:26:06 +00:00
naveen
35511342c8 🌱 Parallelize the builds 
- Created a workflow with multiple jobs for each of the docker builds
- Created a workflow with multiple jobs for each of the ko builds
- Removed the reference to dockerbuild and kobuild in the build-targets
  make target
- This should reduce the time required to finish the CI builds as it
  makes it parallel.
 2022-02-15 11:51:54 -06:00
laurentsimon
e7fd58d9a3
Check for secrets in pull_request_target (#1634) 
* checks/dangerous_workflow.go: add pull_request_target support for secrets

* missing files

* linter
 2022-02-15 16:04:57 +00:00
dependabot[bot]
e3637c9e17 🌱 Bump cloud.google.com/go/bigquery from 1.27.0 to 1.28.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.27.0 to 1.28.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.27.0...spanner/v1.28.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-15 06:21:45 -06:00
Azeem Shaikh
1e488a804f
Fix for repos which do not squash PR commits (#1637) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-14 23:33:15 +00:00
Azeem Shaikh
f3332ce129
Add validation for commit-based APIs (#1635) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-14 22:24:35 +00:00
dependabot[bot]
eb0730ae79
🌱 Bump github.com/goreleaser/goreleaser in /tools (#1632) 2022-02-14 11:35:10 +00:00
Stephen Augustus (he/him)
394789cf22
README.md: Add OpenSSF Best Practices badge (#1629) 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-02-12 03:46:52 -08:00
Azeem Shaikh
2e3e505a8c
Simplify DetailLogger interface (#1628) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-11 15:48:58 -08:00
Azeem Shaikh
38be00c31f
Reduce query cost by analysing lesser associatedPR (#1624) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-10 21:50:22 -06:00
laurentsimon
7de151cf49
Check for secrets in workflows run on pull requests (#1615) 
* updates

* missing files

* typo

* linter

* linter

* updates

* updates
 2022-02-10 18:54:44 +00:00
dependabot[bot]
9b921f07c7
🌱 Bump actions/setup-go from 2.1.5 to 2.2.0 (#1619) 2022-02-10 10:13:56 +00:00
laurentsimon
61e52d4a65
update workflow (#1617) 2022-02-09 10:51:58 -08:00
dependabot[bot]
368c105abe
🌱 Bump cloud.google.com/go/pubsub from 1.17.0 to 1.18.0 (#1616) 2022-02-09 09:34:53 +00:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard (#1613) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 19:03:36 -08:00
Azeem Shaikh
1c95237e4a
Only run allowed checks in different modes (#1579) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 16:49:49 -08:00
Azeem Shaikh
eac2aecce6
Add support for commit-based lookup to GitHub APIs (#1612) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 22:06:05 +00:00
naveen
68bf172e59 🌱 Unit tests fileparser/listing 
Unit tests fileparser/listing
 https://github.com/ossf/scorecard/issues/986
 2022-02-07 15:33:18 -06:00
Naveen
30fc06e4a8 Fixed the formatting issue 2022-02-07 15:15:57 -06:00