Stephen Augustus (he/him)
7956ff4fe7
✨ Miscellaneous refactors to ease downstream consumption ( #1645 )
...
* checker: Add `NewLogger` constructor for `DetailLogger` impl
* checker: Add `NewRunner` constructor for `Runner`
* cmd: Update to use refactored packages
* cmd: Move command flags and validation into an `options` package
* cmd: Move client accessors to `githubrepo` package
* cmd: Move policy and enabled checks to `policy` package
* cmd: Move results formatting to `format` package
* checker: Prefer `Set` prefixes for setters
* checker: Use `DetailLogger` return value for `NewLogger()`
* checker: Add `GetClients` accessor
* Move `FormatResults` to `pkg/`
* checks: Add getter for all checks
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2022-02-27 02:09:21 +00:00
Chris McGehee
76105194da
📖 Adding missing documentation for Token-Permissions ( #1656 )
...
* Adding missing documentation for Token-Permissions
* Make documentation for `actions` more accurate
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2022-02-25 22:47:11 +00:00
dependabot[bot]
4c82c29552
🌱 Bump github.com/rhysd/actionlint from 1.6.8 to 1.6.9
...
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint ) from 1.6.8 to 1.6.9.
- [Release notes](https://github.com/rhysd/actionlint/releases )
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md )
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.8...v1.6.9 )
---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-02-25 08:25:57 -06:00
Stephen Augustus (he/him)
692c682f22
Refine copy for PR template and add a release-note
code fence ( #1678 )
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2022-02-24 22:37:34 -05:00
Azeem Shaikh
504f134416
Update scorecard-analysis.yml ( #1674 )
2022-02-23 21:08:46 -08:00
Naveen
faeae4121e
🌱 Fixes the vulnerability GHSA-qq97-vm5h-rrhg ( #1672 )
...
- Fixed the vulnerability GHSA-qq97-vm5h-rrhg by using replace
directives.
2022-02-23 07:41:05 -08:00
naveensrinivasan
5a1ab20fae
🌱 Fix containerd vulns
...
- Fixes the containerd vulnerability by replacing 1.58 to 1.59 which
addresses the fix and dependabot will stop complaining about the
issue.
2022-02-22 21:57:46 -06:00
Naveen
d94a87d974
🌱 Fix containerd Vulnerability ( #1560 )
...
Fixes the containerd vulns.
https://github.com/ossf/scorecard/issues/1537
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
2022-02-23 00:41:56 +00:00
Chris McGehee
808941a4c2
✨ Token-Permissions, Allow contents: write
permission only for jobs that are releasing ( #1663 )
...
* Token-Permissions, distinguish contents/package
Allowing `contents: write` permission only for jobs that are releasing
jobs, not just packaging jobs.
2022-02-23 00:23:07 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions ( #1670 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-22 17:40:34 -06:00
naveensrinivasan
5656c3ed45
🌱 Ignore cron folder from codecov
...
- Ignoring the cron folder from codecov
2022-02-22 13:33:18 -06:00
Azeem Shaikh
f616278a8b
Generalize CheckIfFileExists fn ( #1668 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-22 18:50:01 +00:00
Azeem Shaikh
c03085ad9b
Remove duplicated function definitions ( #1666 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-22 07:38:56 -08:00
dependabot[bot]
e5b62b524e
🌱 Bump mvdan.cc/sh/v3 from 3.4.2 to 3.4.3 ( #1665 )
...
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh ) from 3.4.2 to 3.4.3.
- [Release notes](https://github.com/mvdan/sh/releases )
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md )
- [Commits](https://github.com/mvdan/sh/compare/v3.4.2...v3.4.3 )
---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-21 04:24:58 -05:00
naveen
5dbc04a0c6
🌱 Avoid duplicate builds
...
Avoiding duplicate builds on main
https://github.community/t/how-to-trigger-an-action-on-push-or-pull-request-but-not-both/16662/2
2022-02-21 00:56:51 -06:00
Romain Dauby
33f80c93dc
Fix golangci-lint issues
2022-02-19 15:56:34 -06:00
Batuhan Apaydın
53bae3ee1a
feat: upgrade to ko v0.10.0
...
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
2022-02-19 05:24:27 -06:00
dependabot[bot]
1306b34853
🌱 Bump ossf/scorecard-action from 1.0.3 to 1.0.4
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Commits](b614d455ee...c1aec4ac82
)
---
updated-dependencies:
- dependency-name: ossf/scorecard-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-02-18 07:38:26 -06:00
behnazh-w
33a01f7647
🐛 Add custom packaging workflow for Python
...
Packaging workflows are allowed to have `contents: write` permission.
By adding relekang/python-semantic-release to the list of
packaging GitHub Actions workflows, we avoid false positivies in
the token permission check.
2022-02-17 17:16:34 -06:00
naveen
bba55d4257
🌱 Parallelize builds
...
- parallelize builds
2022-02-17 15:23:21 -06:00
naveen
1aff6db9f6
🌱 Ignore docker builds
...
- ignore docker builds for non-main branches
- ignore docker builds for *.md
2022-02-16 17:52:55 -06:00
Azeem Shaikh
674146ca3c
Make verbosity levels case insensitive ( #1650 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-16 19:33:04 +00:00
naveen
db1d568499
🌱 Remove building ko to speed up builds
...
- Remove building ko as we aren't using `ko` yet.
- Every build of `ko` slows down the build time.
- When we enable `ko` which will replace `docker` then we can enable `ko` builds
2022-02-16 10:49:27 -06:00
dependabot[bot]
e6f6c56d34
🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3
...
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.0.0 to 2.1.3.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.0.0...v2.1.3 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-02-16 08:36:38 -06:00
dependabot[bot]
4ebd8aff9c
🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3 in /tools
...
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.0.0 to 2.1.3.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.0.0...v2.1.3 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-02-16 07:13:41 -06:00
Jeff Mendoza
ba503c3bee
✨ githubrepo: Allow providing an already authenticated transport ( #1644 )
2022-02-15 19:13:45 -05:00
Azeem Shaikh
cda7a1b1d4
Add tests for graphQL costs ( #1643 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 23:38:23 +00:00
Azeem Shaikh
de5224bbc5
Update e2e tests ( #1641 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 19:27:45 +00:00
Azeem Shaikh
2b206dc365
Remove Version
field from LogMessage ( #1640 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 18:26:06 +00:00
naveen
35511342c8
🌱 Parallelize the builds
...
- Created a workflow with multiple jobs for each of the docker builds
- Created a workflow with multiple jobs for each of the ko builds
- Removed the reference to dockerbuild and kobuild in the build-targets
make target
- This should reduce the time required to finish the CI builds as it
makes it parallel.
2022-02-15 11:51:54 -06:00
laurentsimon
e7fd58d9a3
✨ Check for secrets in pull_request_target ( #1634 )
...
* checks/dangerous_workflow.go: add pull_request_target support for secrets
* missing files
* linter
2022-02-15 16:04:57 +00:00
dependabot[bot]
e3637c9e17
🌱 Bump cloud.google.com/go/bigquery from 1.27.0 to 1.28.0
...
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go ) from 1.27.0 to 1.28.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.27.0...spanner/v1.28.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-02-15 06:21:45 -06:00
Azeem Shaikh
1e488a804f
Fix for repos which do not squash PR commits ( #1637 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-14 23:33:15 +00:00
Azeem Shaikh
f3332ce129
Add validation for commit-based APIs ( #1635 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-14 22:24:35 +00:00
dependabot[bot]
eb0730ae79
🌱 Bump github.com/goreleaser/goreleaser in /tools ( #1632 )
2022-02-14 11:35:10 +00:00
Stephen Augustus (he/him)
394789cf22
README.md: Add OpenSSF Best Practices badge ( #1629 )
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2022-02-12 03:46:52 -08:00
Azeem Shaikh
2e3e505a8c
Simplify DetailLogger interface ( #1628 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-11 15:48:58 -08:00
Azeem Shaikh
38be00c31f
Reduce query cost by analysing lesser associatedPR ( #1624 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-10 21:50:22 -06:00
laurentsimon
7de151cf49
✨ Check for secrets in workflows run on pull requests ( #1615 )
...
* updates
* missing files
* typo
* linter
* linter
* updates
* updates
2022-02-10 18:54:44 +00:00
dependabot[bot]
9b921f07c7
🌱 Bump actions/setup-go from 2.1.5 to 2.2.0 ( #1619 )
2022-02-10 10:13:56 +00:00
laurentsimon
61e52d4a65
update workflow ( #1617 )
2022-02-09 10:51:58 -08:00
dependabot[bot]
368c105abe
🌱 Bump cloud.google.com/go/pubsub from 1.17.0 to 1.18.0 ( #1616 )
2022-02-09 09:34:53 +00:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard ( #1613 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 19:03:36 -08:00
Azeem Shaikh
1c95237e4a
Only run allowed checks in different modes ( #1579 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 16:49:49 -08:00
Azeem Shaikh
eac2aecce6
Add support for commit-based lookup to GitHub APIs ( #1612 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 22:06:05 +00:00
naveen
68bf172e59
🌱 Unit tests fileparser/listing
...
Unit tests fileparser/listing
https://github.com/ossf/scorecard/issues/986
2022-02-07 15:33:18 -06:00
Naveen
30fc06e4a8
Fixed the formatting issue
2022-02-07 15:15:57 -06:00
naveen
aaf7a9f208
🌱 Cache builds between runs
...
Cache builds between runs.
2022-02-07 11:52:36 -06:00
naveen
049db386a5
🌱 Unit tests for dependency_update_tool
...
Unit tests for dependency_update_tool
https://github.com/ossf/scorecard/issues/986
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
2022-02-07 11:05:37 -06:00
laurentsimon
873308016c
checks/packaging.go: ignore workflows/<>/ files ( #1591 )
2022-02-04 21:42:59 +00:00