ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 21:18:09 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
655 Commits 36 Branches 42 Tags 436 MiB
b3a3f7e217
Commit Graph

655 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
laurentsimon
b3a3f7e217
SARIF 2: add short description to checks.yml (#848) 
* short desc

* validate new field

* typos

* comments

* fixed
 2021-08-16 15:42:55 +00:00
dependabot[bot]
72337426f0
🌱 Bump go.uber.org/zap from 1.18.1 to 1.19.0 (#834) 
Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.18.1 to 1.19.0.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/zap/compare/v1.18.1...v1.19.0)

---
updated-dependencies:
- dependency-name: go.uber.org/zap
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-08-15 22:55:20 +00:00
Azeem Shaikh
42ee430332
Use RepoClient API for Fuzzing (#855) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-14 00:34:40 +00:00
Azeem Shaikh
4c585f2e5f
Fix nil pointer bug (#856) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-13 23:42:03 +00:00
Azeem Shaikh
8baaaa4cf8
Use RepoClient API for Contributors check (#854) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-13 18:13:43 +00:00
Azeem Shaikh
b7ddc9ac93
Update go-github version for consistency (#852) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-13 00:43:22 +00:00
Azeem Shaikh
d4701c4a4e
Delete Signed-Tags check from Scorecard (#851) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-12 22:26:50 +00:00
Azeem Shaikh
29fbdae1af
Enable automated e2e testing and releases (#850) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: Abhishek Arya <inferno@chromium.org>
 2021-08-12 21:44:54 +00:00
Azeem Shaikh
3f9431d08c
Update SignedReleases to use RepoClient API (#844) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-12 20:46:06 +00:00
Naveen
e160d4a273
📖 Fixed the typos and rephrased some (#849) 
*  Fixed a few typos
    *  Rephrased a few statements.
 2021-08-12 15:59:01 -04:00
Azeem Shaikh
7790d70119
Use consistent golang image across Dockerfiles (#847) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: Abhishek Arya <inferno@chromium.org>
 2021-08-12 16:54:32 +00:00
asraa
cc312f2d1d
feature: branch protection without admin token (#823) 
* branch protection without admin permission

Signed-off-by: Asra Ali <asraa@google.com>

* handle other errors

Signed-off-by: Asra Ali <asraa@google.com>

* fix lint

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-08-12 15:54:28 +00:00
dependabot[bot]
a10baab917
🌱 Bump golang from 5cdc91c to 3c4de86 (#846) 
Bumps golang from `5cdc91c` to `3c4de86`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-12 11:10:42 -04:00
Azeem Shaikh
cbc556fbec
Append changelog to new releases (#838) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-11 23:27:15 +00:00
Azeem Shaikh
eeb563be10
Update SAST and CITest with Repoclient API (#842) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-12 08:27:48 +10:00
laurentsimon
5bcc1fdc4f
populate old details (#841) 2021-08-11 21:16:05 +00:00
Azeem Shaikh
977c2b8657
Log runtime failures in cron job (#840) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-11 18:54:40 +00:00
Mark J. Cox
20370f782a
🐛 Look for organisation default .github security.md files in all the locations they are allowed to be in (#837) 
* The default community health files for an organisation can be in one of
three places, but the current check only looked in one of them. Expand
the check to all three places as per
https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file

This fixes scorecards failing to pick up the default Apache policy
https://github.com/apache/.github/blob/main/.github/SECURITY.md

Signed-off-by: Mark J. Cox <mark@awe.com>

* Wrap don't use a long line

* Follow the hint in the failure and run "gofmt -s" on it
 2021-08-11 10:53:04 -07:00
dependabot[bot]
ee8e4026bc
🌱 Bump github.com/google/go-containerregistry (#832) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.1.2 to 0.6.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.1.2...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-08-11 16:43:35 +00:00
Azeem Shaikh
4fcb0a392e
Fix a bug in flag parsing (#836) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-11 15:40:53 +00:00
dependabot[bot]
0f6cbc1703
🌱 Bump cloud.google.com/go/pubsub from 1.13.0 to 1.14.0 (#833) 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.13.0 to 1.14.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.13.0...pubsub/v1.14.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-08-11 05:01:54 +00:00
Azeem Shaikh
6cc41359a9
Remove false log statement (#835) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-11 04:09:13 +00:00
dependabot[bot]
bbf99add9e
🌱 Bump cloud.google.com/go/bigquery from 1.19.0 to 1.20.1 (#820) 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.19.0 to 1.20.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.19.0...bigquery/v1.20.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-08-11 03:22:00 +00:00
Azeem Shaikh
0561c15f21
Post to webhook on successful cron job completion (#829) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-11 02:36:57 +00:00
Azeem Shaikh
bc67dd306a
Create a webhook for tagging Docker images (#828) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-11 01:45:01 +00:00
Azeem Shaikh
ce7d4c396d
Update BQ query in README.md (#831) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-10 17:56:39 -07:00
dependabot[bot]
a2e34ede98 🌱 Bump crazy-max/ghaction-import-gpg from 3.1.0 to 3.2.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](b0793c0060...1c6a9e9d35)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-10 10:03:06 -05:00
naveen
ef9880c7b3 🌱 Implemented ignore for license check 
The license check was updated with the ignore files.

Fixed the issue https://github.com/ossf/scorecard/issues/767
 2021-08-09 16:09:01 -05:00
Naveen
0c55af5ef8
Scorecard builds for osx arm64 (#824) 
Removed the arm64 ignore from goreleaser
 2021-08-09 19:22:02 +00:00
Appu
8534836923
Also add version info to goreleaser (#822) 
- shared configuration generation in ./scripts/version-ldflags

Signed-off-by: Appu Goundan <appu@google.com>
 2021-08-09 18:22:30 +00:00
Azeem Shaikh
2931d91e23
Fix typo (#819) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-06 23:45:22 +00:00
dependabot[bot]
0e6559a1ce 🌱 Bump golang from 1.16.6 to 1.16.7 
Bumps golang from 1.16.6 to 1.16.7.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-06 17:26:49 -05:00
dependabot[bot]
fc75fd44e8
🌱 Bump github.com/onsi/gomega from 1.14.0 to 1.15.0 (#816) 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.14.0 to 1.15.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.14.0...v1.15.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-06 17:42:41 -04:00
Azeem Shaikh
7f71928daa
Generate .shard_metadata file in cron job shard (#814) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-06 18:07:42 +00:00
Azeem Shaikh
d58fd2d927
Add CloudBuild config for CronJob (#813) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-05 20:03:26 -07:00
Azeem Shaikh
f4d2628799
Ignore errors extracting corrupted tarball (#812) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-06 01:03:35 +00:00
laurentsimon
d821ea27ec
improve token permission (#811) 
* sarif action

* update
 2021-08-05 17:10:34 +00:00
Azeem Shaikh
df3c8663e9
Use a single image for worker and controller (#810) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-04 00:18:22 +00:00
laurentsimon
e4f3ede843
fix/enhance pinned-dependencies (#806) 
* commit

* e2e tests

* typo
 2021-08-03 23:32:34 +00:00
Azeem Shaikh
790a7778e7
Handle tarballs that cannot be downloaded. (#809) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-03 15:31:32 -07:00
Johan Brandhorst-Satzkorn
a3ae21f7c0
Fix minisign file ending example (#807) 
The minisign project uses *.minisig signature files, which
is correctly searched for by the implementation logic
in signed_releases.go, however, the docs use
"*.minisign", which will confuse users.

Correct the docs to use the "*.minisig" file extension.

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-08-03 21:35:13 +00:00
Azeem Shaikh
08cc3c6202
Rollout worker whenever controller starts (#808) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-03 20:50:30 +00:00
Naveen
254f316ce5
🌱 Fix the e2e fixes for signedtags (#805) 2021-08-03 16:02:06 +00:00
naveen
f2b4d07c33 🌱 Updated e2e signed releases 
Updated the e2e signed releases to the new repository.
 2021-08-03 09:05:16 -05:00
laurentsimon
b2b37161f3
Improve token permission check (#800) 
* draft

* draft 2

* draft3

* fix e2e

* comment

* comment

* check codeql

* missing files

* comments

* nit

* update msg

* msg

* nit

* nit

* msg

* e2e

* update doc
 2021-08-03 00:56:45 +00:00
Naveen
91d3d82348
🌱 Fix the protobuf GitHub runner issue (#801) 
Fixes the protobuf GitHub runner issue by cloning the repository and
installing it locally.

Source  https://lukasjoswiak.com/github-actions-protobuf/
 2021-08-02 23:52:57 +00:00
laurentsimon
6718939a08
Cleanup errors and log (#782) 
* cleanup

* text

* add errors

* fixes

* more

* fixes

* linnter

* comments

* name
 2021-08-02 22:38:42 +00:00
laurentsimon
9b2f3f5270
broken link to doc (#799) 
* broken link

* main doc link
 2021-08-02 14:33:17 -07:00
Azeem Shaikh
30bb11965a
Update Packaging check to use new APIs (#796) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-02 17:17:38 +00:00
laurentsimon
1bee125ab3
fix message (#798) 2021-08-02 16:00:22 +00:00