raghavkaul
4063fb6d49
🌱 Code Review: treat merging a PR as code review ( #2413 )
...
* Merges on Github count as a code review by the maintainer
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update Raw Results
* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Check that pull request had atleast one reviewer that wasn't its author
* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
people's commits
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-08 11:09:02 -08:00
dependabot[bot]
556405dc46
🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0
...
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 13:59:16 +00:00
dependabot[bot]
954b376031
🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools ( #2436 )
...
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-08 04:32:37 -08:00
Spencer Schrock
1eba29654a
enable more performant isText ( #2433 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-11-07 12:36:07 -08:00
dependabot[bot]
45528812cb
🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 ( #2431 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](18fe527fa8...c3b6fce4ee
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-04 20:32:11 -05:00
scott hissam
9a85fad9c0
✨ Improved Security Policy Check ( #2195 )
...
* ✨ Improved Security Policy Check (#2137 )
* Examines and awards points for linked content (URLs / Emails)
* Examines and awards points for hints of disclosure and vulnerability practices
* Examines and awards points for hints of elaboration of timelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired Security Policy to correctly use linked content length for evaluation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* gofmt'ed changes
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added unit test cases for the new content-based Security Policy checks
Signed-off-by: Scott Hissam <shissam@gmail.com>
* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ Improved Security Policy Check (#2137 ) (revisted based on comments)
* replaced reason strings with log.Info & log.Warn (as seen in --show-details)
* internal assertion check for nil (*pinfo) and empty pfile
* internal switched to FileTypeText over FileTypeSource
* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file
* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflict with checks.yaml
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated raw results to emit all the raw information for the new security policy check
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflicts and lint errors with json_raw_results.go
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment
Signed-off-by: Scott Hissam <shissam@gmail.com>
* restored reporting full security policy path and filename for policies found in the org level repos
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved conflicts in checks.yaml for documentation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ CLI for scorecard-attestor (#2309 )
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
* removed whitespace before stanza for Run attestor e2e
Signed-off-by: Scott Hissam <shissam@gmail.com>
* resolved code review and doc review comments
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
2022-11-04 14:35:44 -07:00
Spencer Schrock
d67fcbab59
revert failing unit-test on ci error ( #2422 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-11-04 09:11:44 -07:00
dependabot[bot]
6a00f92156
🌱 Bump github/codeql-action from 2.1.29 to 2.1.30
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](ec3cf9c605...18fe527fa8
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-03 13:46:47 +00:00
dependabot[bot]
9fc35358a2
🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0
...
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega ) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases )
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/gomega/compare/v1.23.0...v1.24.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-03 13:25:47 +00:00
Spencer Schrock
0e3f81c880
🐛 modify alternative isText to accept carriage returns ( #2421 )
...
* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add TODO reminder to cleanup after release tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-11-02 20:39:52 -07:00
Spencer Schrock
043a720f0c
🌱 Enable comparison for alternative isText implementation ( #2414 )
...
* use more performant IsText
Signed-off-by: Spencer Schrock <sschrock@google.com>
* AB test isText implementations
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add comparison env var to release test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* go mod tidy for attestor
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-11-01 21:07:59 -07:00
Spencer Schrock
fba72f8974
Fail unit-test job if codecov upload fails ( #2415 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-11-01 19:13:07 -07:00
Spencer Schrock
9ae801fb11
Bump scorecard-action ( #2416 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-11-01 15:16:22 -07:00
Spencer Schrock
d8737fde18
fix workflow ( #2417 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-11-01 14:11:50 -07:00
raghavkaul
a8f98be924
✨ CLI for scorecard-attestor ( #2309 )
...
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-01 18:30:17 +00:00
dependabot[bot]
1fa7910432
🌱 Bump github.com/goreleaser/goreleaser in /tools ( #2373 )
...
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser ) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases )
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml )
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.11.5...v1.12.3 )
---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-31 07:47:18 -05:00
dependabot[bot]
a45b506ac0
🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 ( #2363 )
...
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases )
- [Commits](b953231f81...b508e2e3ef
)
---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-30 11:18:02 -05:00
dependabot[bot]
5f25855100
🌱 Bump github.com/golangci/golangci-lint in /tools
...
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint ) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases )
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md )
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.50.0...v1.50.1 )
---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-30 14:03:19 +00:00
dependabot[bot]
8b281c68c8
🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools
...
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-29 19:42:34 +00:00
dependabot[bot]
b90b5f024b
🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 ( #2409 )
...
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega ) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases )
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/gomega/compare/v1.20.2...v1.23.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-29 18:44:49 +00:00
dependabot[bot]
93b59720c4
🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0
...
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab ) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases )
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go )
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.73.1...v0.74.0 )
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-29 17:33:03 +00:00
dependabot[bot]
8220f0f23b
🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0
...
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go ) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.25.1...pubsub/v1.26.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-29 14:00:56 +00:00
dependabot[bot]
038e84e7f5
🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0
...
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-28 19:51:29 +00:00
dependabot[bot]
f9f0c0aa70
🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 ( #2397 )
...
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra ) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases )
- [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1 )
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-27 09:38:53 -05:00
dependabot[bot]
b878d2d1a5
🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](9c96258789...0efb1d1d84
)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 20:37:38 +00:00
dependabot[bot]
4c43f61de9
🌱 Bump github/codeql-action from 2.1.28 to 2.1.29
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.28 to 2.1.29.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cc7986c02b...ec3cf9c605
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 18:39:24 +00:00
dependabot[bot]
e4f84df788
🌱 Bump peter-evans/create-or-update-comment from 2.0.1 to 2.1.0
...
Bumps [peter-evans/create-or-update-comment](https://github.com/peter-evans/create-or-update-comment ) from 2.0.1 to 2.1.0.
- [Release notes](https://github.com/peter-evans/create-or-update-comment/releases )
- [Commits](2b2c85d0bf...5adcb0bb0f
)
---
updated-dependencies:
- dependency-name: peter-evans/create-or-update-comment
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 16:34:09 +00:00
dependabot[bot]
9e2eafc3ae
🌱 Bump sigstore/cosign-installer from 2.7.0 to 2.8.1 ( #2402 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 2.7.0 to 2.8.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](ced07f21fb...9becc61764
)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-26 08:59:37 -05:00
dependabot[bot]
d56e2b840d
🌱 Bump actions/setup-go from 3.3.0 to 3.3.1 ( #2400 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 3.3.0 to 3.3.1.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](268d8c0ca0...c4a742cab1
)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-26 07:14:09 +00:00
dependabot[bot]
13cd222a88
🌱 Bump actions/upload-artifact from 3.1.0 to 3.1.1
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](3cea537223...83fd05a356
)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-25 19:04:50 +00:00
dependabot[bot]
b3439c15ec
🌱 Bump github/codeql-action from 2.1.27 to 2.1.28 ( #2398 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.27 to 2.1.28.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](807578363a...cc7986c02b
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-25 10:21:02 -07:00
dependabot[bot]
ca5972ab56
🌱 Bump cloud.google.com/go/bigquery from 1.39.0 to 1.43.0 ( #2395 )
...
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go ) from 1.39.0 to 1.43.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.39.0...bigquery/v1.43.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-24 21:40:07 -07:00
dependabot[bot]
078d23ca53
🌱 Bump peter-evans/find-comment from 2.0.0 to 2.0.1 ( #2387 )
...
* 🌱 Bump peter-evans/find-comment from 2.0.0 to 2.0.1
Bumps [peter-evans/find-comment](https://github.com/peter-evans/find-comment ) from 2.0.0 to 2.0.1.
- [Release notes](https://github.com/peter-evans/find-comment/releases )
- [Commits](1769778a0c...b657a70ff1
)
Signed-off-by: Spencer Schrock <sschrock@google.com>
---
updated-dependencies:
- dependency-name: peter-evans/find-comment
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump version comment
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2022-10-25 03:19:22 +00:00
dependabot[bot]
2c40753c6d
🌱 Bump crazy-max/ghaction-import-gpg from 5.1.0 to 5.2.0 ( #2386 )
...
* 🌱 Bump crazy-max/ghaction-import-gpg from 5.1.0 to 5.2.0
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg ) from 5.1.0 to 5.2.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases )
- [Commits](c8bb57c57e...111c56156b
)
Signed-off-by: Spencer Schrock <sschrock@google.com>
---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* version comment bump
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2022-10-25 02:12:38 +00:00
dependabot[bot]
4d0b374d03
🌱 Bump nick-invision/retry from 2.8.1 to 2.8.2 ( #2359 )
...
Bumps [nick-invision/retry](https://github.com/nick-invision/retry ) from 2.8.1 to 2.8.2.
- [Release notes](https://github.com/nick-invision/retry/releases )
- [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js )
- [Commits](b4fa57557d...3e91a01664
)
---
updated-dependencies:
- dependency-name: nick-invision/retry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-25 00:25:15 +00:00
Spencer Schrock
93f3d93749
🌱 Manual bump every docker distroless:base to 99133cb
( #2392 )
...
* Reduce docker updates to weekly
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Bump all dockers to 99133cb
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-10-24 18:43:46 +00:00
dependabot[bot]
7c4dd23262
🌱 Bump distroless/base ( #2390 )
...
Bumps distroless/base from `a74f307` to `99133cb`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-24 05:21:58 -05:00
Gabriela Gutierrez
d5fa5d1eff
fix: Replace deprecated set-output with GITHUB_OUTPUT ( #2384 )
...
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2022-10-22 15:42:25 +00:00
dependabot[bot]
fa6ccebea0
🌱 Bump actions/cache from 3.0.10 to 3.0.11 ( #2351 )
...
* 🌱 Bump actions/cache from 3.0.10 to 3.0.11
Bumps [actions/cache](https://github.com/actions/cache ) from 3.0.10 to 3.0.11.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](56461b9eb0...9b0c1fce7a
)
Signed-off-by: Spencer Schrock <sschrock@google.com>
---
updated-dependencies:
- dependency-name: actions/cache
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump version comment
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2022-10-22 03:04:47 +00:00
dependabot[bot]
94187db06d
🌱 Bump peter-evans/create-or-update-comment from 2.0.0 to 2.0.1 ( #2360 )
...
Bumps [peter-evans/create-or-update-comment](https://github.com/peter-evans/create-or-update-comment ) from 2.0.0 to 2.0.1.
- [Release notes](https://github.com/peter-evans/create-or-update-comment/releases )
- [Commits](c9fcb64660...2b2c85d0bf
)
---
updated-dependencies:
- dependency-name: peter-evans/create-or-update-comment
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-21 18:43:07 -07:00
Spencer Schrock
6558626f94
Disable auto rebasing when PR merged ( #2378 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-10-21 10:44:03 -07:00
dependabot[bot]
b0c3d04098
🌱 Bump golang.org/x/tools from 0.1.12 to 0.2.0 ( #2377 )
...
Bumps [golang.org/x/tools](https://github.com/golang/tools ) from 0.1.12 to 0.2.0.
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.1.12...v0.2.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-21 08:37:53 -05:00
Hugo van Kemenade
084bcd9009
📖 Clarify CII-Best-Practices score for each badge ( #2313 )
...
* Clarify CII-Best-Practices score for each badge
Signed-off-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
* Clarify CII-Best-Practices score for each badge
Signed-off-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
* Move to checks.yaml and regenerate
Signed-off-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Signed-off-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
2022-10-21 00:06:02 +00:00
Dave Banerjee
d7c23c9433
📖 Patch fix: updated makefile to include unit-test and unit-test-attestor and cont… ( #2366 )
...
* updated makefile to include unit-test and unit-test-attestor and contributing doc to include e2e-pat
Signed-off-by: Dave Banerjee <dave.banerjee@ibm.com>
* updated docs
Signed-off-by: Dave Banerjee <dave.banerjee@ibm.com>
Signed-off-by: Dave Banerjee <dave.banerjee@ibm.com>
Co-authored-by: Dave Banerjee <Dave.Banerjee@ibm.com>
2022-10-20 22:28:55 +00:00
dependabot[bot]
bd0de45a90
🌱 Bump github.com/google/go-containerregistry ( #2371 )
...
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.11.0 to 0.12.0.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.11.0...v0.12.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-20 09:19:34 -05:00
Spencer Schrock
f979097a1f
🌱 cron: generalize and expose worker (6/n) ( #2317 )
...
* WIP
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Appease linter.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Update Makefile for worker
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Extract already completed request sanity check.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add worker test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove logger from worker interface
Signed-off-by: Spencer Schrock <sschrock@google.com>
* move cron data and worker out of cron/internal
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Move config out of internal.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Document worker interface.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Fix typo which prevented metadata from going to cron job.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Address feedback.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Revert "Fix typo which prevented metadata from going to cron job."
This reverts commit 876acb062e
.
Will send separate PR.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Fix linter.
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-10-19 21:01:42 +00:00
Spencer Schrock
900701c045
Fix typo which prevented metadata from going to cron job. ( #2370 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-10-19 18:41:42 +00:00
Theresa Mammarella
3f58335ddd
✨ Add Sonatype Lift as a dependency update tool, doc upgrade ( #2328 )
...
* Add Sonatype Lift as a dependency update tool, doc upgrade
Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
* Fix integration tests
Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
* Generate docs
Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
2022-10-19 15:33:05 +00:00
Eddie Knight
2f504b7946
Removed job-level permissions check for actions and packages ( #2367 )
...
* Removed job-level permissions check for actions and packages
Signed-off-by: Eddie Knight <knight@linux.com>
* Updated unit tests
Signed-off-by: Eddie Knight <knight@linux.com>
Signed-off-by: Eddie Knight <knight@linux.com>
2022-10-19 01:02:17 -07:00
dependabot[bot]
d76bcb664b
🌱 Bump golang.org/x/text from 0.3.8 to 0.4.0 ( #2364 )
...
Bumps [golang.org/x/text](https://github.com/golang/text ) from 0.3.8 to 0.4.0.
- [Release notes](https://github.com/golang/text/releases )
- [Commits](https://github.com/golang/text/compare/v0.3.8...v0.4.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/text
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-18 17:29:56 +00:00