laurentsimon
cf71c9539c
✨ Add details to message for default location in SARIF ( #1414 )
...
* add details to message
* fix
2021-12-23 19:06:02 +00:00
dependabot[bot]
eef99b5ce0
🌱 Bump actions/setup-go from 2.1.4 to 2.1.5 ( #1407 )
2021-12-22 08:40:44 -06:00
laurentsimon
3c1e8148d4
✨ Do not expose sarif and policy command ( #1405 )
...
* hide sarif support
* use variable
2021-12-21 18:05:56 +00:00
laurentsimon
6f21258131
reduce score by 1 ( #1404 )
2021-12-21 17:28:31 +00:00
dependabot[bot]
090ae4f0bb
🌱 Bump actions/stale from 4.0.0 to 4.1.0 ( #1384 )
...
Bumps [actions/stale](https://github.com/actions/stale ) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/stale/releases )
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md )
- [Commits](cdf15f641a...7fb802b307
)
---
updated-dependencies:
- dependency-name: actions/stale
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-12-17 17:53:20 +00:00
dependabot[bot]
f9daa4e3cc
🌱 Bump github.com/rhysd/actionlint from 1.6.7 to 1.6.8 ( #1267 )
...
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint ) from 1.6.7 to 1.6.8.
- [Release notes](https://github.com/rhysd/actionlint/releases )
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md )
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.7...v1.6.8 )
---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-12-17 17:24:32 +00:00
laurentsimon
df3d50df76
🐛 Fix score calculation for multiple files ( #1401 )
...
* multi file support
* fix multi-files permissions
* change name
* add tests
* use struct for files
* comments
* comment
2021-12-16 23:16:02 +00:00
laurentsimon
3d9b1d2900
✨ [RAW] Branch Protection support ( #1396 )
...
* raw bp
* missing files
* context never nil
* support raw bp
* unit tests
* remove comments
* merging
* linter
2021-12-16 21:42:05 +00:00
asraa
c795615321
✨ Enable dangerous workflow in release test ( #1402 )
...
* enable dangerous workflow in release test
Signed-off-by: Asra Ali <asraa@google.com>
* fix
Signed-off-by: Asra Ali <asraa@google.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-12-16 18:49:49 +00:00
Azeem Shaikh
26733c95be
Update timeout for retries ( #1403 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-12-16 10:25:35 -08:00
Azeem Shaikh
be7fe32866
Fix more retry breakages ( #1398 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-12-15 23:27:23 +00:00
Azeem Shaikh
ecc96576f4
Refactor to improve readability ( #1394 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-12-15 15:01:34 -08:00
Azeem Shaikh
bbbca2bd87
Fix retry workflow ( #1397 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-12-15 14:31:46 -08:00
naveen
a13b63eae2
🌱 Improves the ci-e2e with retries
2021-12-15 12:50:36 -06:00
laurentsimon
f2cee41ca9
✨ [RAW]: dependency update tool ( #1391 )
...
* dependency update tool
* rename
* missing files
* add fields
* rm field
2021-12-15 17:02:31 +00:00
Jason Hall
cef72f0f7d
🐛 Fix ko build workflows in Makefile ( #1392 )
...
* Use ko to build everything in cloudbuild.yaml
* --push=false and undo cloudbuild.yaml changes for now
2021-12-15 10:35:07 -06:00
laurentsimon
46e94eb925
✨ [DRAFT: RAW]: Security policy support ( #1372 )
...
* raw sec policy
* missing file
* fix validation of check.yml
* updates
* comments
* dea code
* comments
2021-12-14 23:51:42 +00:00
laurentsimon
551961718d
✨ [RAW] End-to-end support for raw results for Binary-Artifacts ( #1255 )
...
* split binary artifact check
* fix
* missing file
* comments
* fix
* comments
* draft
* merge fix
* fix merge
* add indirection
* comments
* comments
* linter
* comments
* updates
* updates
* updates
* linter
* comments
2021-12-14 21:10:24 +00:00
Chris McGehee
f991fee32d
Adding line numbers for rest of Token-Permessions (and by extension, ( #1381 )
...
Packaging)
2021-12-14 04:14:35 +00:00
laurentsimon
ca97581538
✨ Comply with GH-specific rules for SARIF ( #1379 )
...
* GH-specific validation rules
* fix
* fix
2021-12-14 01:47:57 +00:00
Naveen
a0513aa877
Update stale.yml
2021-12-13 16:53:51 -06:00
olivekl
d4df1f6136
Update README.md ( #1388 )
...
Update link for more useful GH app authentication instructions
2021-12-13 20:50:43 +00:00
olivekl
fa29896003
Clarify Authentication and Token info in README.md ( #1387 )
...
Add suggestion of which PAT to set;
Add explanation of why authentication is needed;
Clarity the "either-or" options for authentication;
Add link to GH Installations (please confirm link is correct)
2021-12-13 10:08:19 -08:00
Naveen
9c89717239
🌱 Fix the stale configuration. ( #1385 )
...
The number of issues and PR aren't getting attention and this will help
us with this.
2021-12-13 08:52:01 -08:00
dependabot[bot]
870a850cc3
🌱 Bump github.com/onsi/gomega from 1.16.0 to 1.17.0 ( #1225 )
...
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega ) from 1.16.0 to 1.17.0.
- [Release notes](https://github.com/onsi/gomega/releases )
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/gomega/compare/v1.16.0...v1.17.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-12-12 15:25:44 +00:00
laurentsimon
86fd966dc4
✨ Don't use the policy filename in SARIF results ( #1373 )
...
* don't display a policy file
* fix utests
* update msg
* update test
2021-12-10 17:07:32 -08:00
asraa
cfa1593e1c
✨ Add Script Injection to Dangerous-Workflow ( #1368 )
...
* add dangerous workflow pattern script injection
Signed-off-by: Asra Ali <asraa@google.com>
* add more tests
Signed-off-by: Asra Ali <asraa@google.com>
* update laurent comments
Signed-off-by: Asra Ali <asraa@google.com>
2021-12-09 13:53:55 -08:00
Jamie Magee
777713901e
docs: add installation instructions for mac and linux
2021-12-08 18:27:41 -06:00
Evgeny Vereshchagin
75bcc333de
CI-Tests: look for test-related strings in target urls as well ( #1374 )
...
Apparently some projects like systemd and bcc put links (containing
the word "Jenkins") to their Jenkins instances in target urls.
https://buildbot.iovisor.org/jenkins/job/bcc-pr/1157/
https://jenkins-systemd.apps.ocp.ci.centos.org/job/upstream-vagrant-archlinux-sanitizers/8288/
It's a follow-up to https://github.com/ossf/scorecard/pull/1293#issuecomment-976384882
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2021-12-08 17:34:28 +00:00
Evgeny Vereshchagin
01ebb0dcf3
Pinned-Dependencies: show where exactly parsing fails ( #1297 )
...
Looks like due to https://github.com/mvdan/sh/issues/636
scorecard can't parse comments quoted with backticks like
```
cmd -a \
-b `# withouth backticks -c below would be a separate command` \
-c
```
and fails with something like
```
error parsing shell code: 82:26: reached EOF without closing quote `
```
This PR turns that message into
```
error parsing shell code: vagrant/bootstrap_scripts/arch-sanitizers-clang.sh: 82:26: reached EOF without closing quote `
```
which is a bit more useful.
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2021-12-08 01:52:08 +00:00
laurentsimon
6e013cf67d
✨ Token-Permission: Allow top level permissions not defined if all run level permissions are ( #1356 )
...
* doc
* allow non defined top level
* fix
* e2e fix
* linter
2021-12-08 01:18:28 +00:00
Evgeny Vereshchagin
2e391503e4
Code-Review: show PRs merged without code review ( #1375 )
...
to make it easier to figure out whether those PRs are really merged
without code review or whether there is a bug in scorecard like
https://github.com/ossf/scorecard/issues/1260 that prevents it
from finding reviewed PRs. Other than that, the "CI-Tests" check
already show "untested" PRs so it seems the "Code-Review" check
should follow suit.
2021-12-07 16:47:29 -08:00
Chen
be9a6234b5
Update the Risk of dangerous-workflow ( #1361 )
...
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-12-07 18:00:36 +00:00
Evgeny Vereshchagin
5043cbcc7c
CI-Tests: no longer fail if there are no check suites ( #1335 )
...
In PRs like https://github.com/iovisor/bcc/pull/3626 no checks suites
are triggered:
```
$ curl --silent -H "Accept: application/vnd.github.v3+json" 3fcf0f1b58/check-runs
{
"total_count": 0,
"check_runs": [
]
}
```
```
curl --silent -H "Accept: application/vnd.github.v3+json" 3fcf0f1b58/check-suites
{
"total_count": 0,
"check_suites": [
]
}
```
The check should just keep going because "statuses" still can be
triggered so it should use them instead:
```
Closes https://github.com/ossf/scorecard/issues/1285
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-12-07 03:27:59 +00:00
laurentsimon
1aac7aa39c
✨ update log msg for non-pinned actions ( #1370 )
2021-12-06 19:33:27 -06:00
laurentsimon
063d384b6d
move dir ( #1367 )
2021-12-06 17:57:02 +00:00
laurentsimon
023eab671e
✨ Ignore local actions that are not pinned ( #1357 )
...
* ignore local actions
* missing files
2021-12-06 16:36:42 +00:00
Chris McGehee
38b5199e9e
🐛 Adding line numbers to token-permissions and a couple other places ( #1363 )
...
* Adding line numbers to token-permissions and a couple other places
* Fix deadlink for security policy
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
* Updating formatting
Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
2021-12-06 10:05:52 -06:00
Batuhan Apaydın
1eb4d0e73e
Fix deadlink for security policy
...
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
2021-12-05 11:26:29 -06:00
laurentsimon
b323cded04
🐛 checks.yml not sync'ed with checks.md ( #1360 )
...
* update docs
* update
* remove file
* remove improper commit
* fix
2021-12-04 08:56:50 -06:00
laurentsimon
afe55a83c1
🐛 Disable pinning lock file search in repo ( #1315 )
...
* fix
* linter
* linter
* linter
* comment
2021-12-04 00:44:09 +00:00
Evgeny Vereshchagin
9f7e682fe6
CI-Check: add SemaphoreCI and Packit-as-a-Service ( #1293 )
...
to make it more likely for some projects to pass the check
https://semaphoreci.com/
https://github.com/marketplace/packit-as-a-service
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2021-12-03 23:33:01 +00:00
Azeem Shaikh
84d169bf23
Use updated clients for local
( #1355 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-12-03 15:09:04 -08:00
laurentsimon
aed511670f
✨ Cleanup Branch Protection and add e2e tests ( #1344 )
...
* BP cleanup
* linnter
* e2e fix
* linter
* linter
Co-authored-by: asraa <asraa@google.com>
2021-12-03 21:53:18 +00:00
laurentsimon
3eb2e5aec8
license ( #1350 )
2021-12-03 21:01:38 +00:00
laurentsimon
b8d7a6b722
make critical ( #1348 )
2021-12-03 17:55:54 +00:00
Nanik
45b5a35020
✨ Add new checking for license file availability ( #1178 )
...
* Add checking logic inside license_check.go
* Add test case license_check_test.go
* Add check information inside checks.yaml
2021-12-03 09:28:27 -08:00
laurentsimon
8cb4804c28
✨ Update action names ( #1346 )
...
* update action
* add schedule
* comments
* e2e fix
2021-12-03 02:17:00 +00:00
laurentsimon
c3c017bf6f
npm ci only ( #1314 )
2021-12-03 01:37:18 +00:00
laurentsimon
938c637ee0
rem audio files ( #1300 )
...
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-12-03 00:54:06 +00:00