mirror of
https://github.com/ossf/scorecard.git
synced 2024-08-16 11:50:37 +03:00
8c9e552f68
* add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Additional e2e clients/githubrepo/checkruns.go (#2934) * 🌱 Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 E2E for clients/githubrepo/contributors.go (#2939) * 🌱 E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](4d34df0c23...fac708d667
) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](894ff025c7...eaaf4bedf3
) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](204a51a57a...03d0fecf17
) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * e2e test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update: test coverage Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * gitlab: license check (#2834) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](03d0fecf17...dd6b2e2b61
) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](64c0c85d18...4b3578161e
) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Add support for github GHES (#2999) * ✨ adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * 🌱 Additional e2e clients/githubrepo/checkruns.go (#2934) * 🌱 Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * 🌱 E2E for clients/githubrepo/contributors.go (#2939) * 🌱 E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza <jlm@jlm.name> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce <joycebrum@google.com> * feat: generate checks.md Signed-off-by: Joyce Brum <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * 🌱 E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for pkg/json_raw_results (#3044) * 🌱 Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 👻 fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> * generate checks.md Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> --------- Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * use projectID instead of project where applicable Signed-off-by: Raghav Kaul <raghavkaul@google.com> * pass ref as listcommitoption Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Move gitlab repos to release controller Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add csv headers Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul <raghavkaul@google.com> * formatting & logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * remove spurious test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * consolidate logic Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Turn on experimental flag Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update client Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](29b1f65c5e...f0e3dfb303
) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](f0e3dfb303...0225834cc5
) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](b2d17f5124...25eaddf37a
) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated general README Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * get nuget latest version from registration URL Signed-off-by: Avishay <avishay.balter@gmail.com> * better coverage Signed-off-by: Avishay <avishay.balter@gmail.com> * sign Signed-off-by: Avishay <avishay.balter@gmail.com> * fix tests Signed-off-by: Avishay <avishay.balter@gmail.com> * more tests Signed-off-by: Avishay <avishay.balter@gmail.com> * client tests Signed-off-by: Avishay <avishay.balter@gmail.com> * lint Signed-off-by: Avishay <avishay.balter@gmail.com> * Apply suggestions from code review Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](4b3578161e...149f6c87b9
) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](25eaddf37a...cf4fe8759a
) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 2 Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 3 Signed-off-by: Avishay <avishay.balter@gmail.com> * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](f46c48ed6d...1360a344cc
) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](cf4fe8759a...5978e5a2df
) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update repo name Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 agenda link change (#3111) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](0225834cc5...83f0fe6c49
) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](5978e5a2df...5d2fcdb4cb
) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * i🌱 Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](5d2fcdb4cb...07e0177b72
) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](07e0177b72...fb20f4d248
) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock <sschrock@google.com> * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock <sschrock@google.com> * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add license header Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * making the packages internal Signed-off-by: Avishay <avishay.balter@gmail.com> * generate mocks Signed-off-by: Avishay <avishay.balter@gmail.com> --------- Signed-off-by: Avishay <avishay.balter@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
453 lines
21 KiB
Makefile
453 lines
21 KiB
Makefile
SHELL := /bin/bash
|
|
GIT_HASH := $(shell git rev-parse HEAD)
|
|
GIT_VERSION ?= $(shell git describe --tags --always --dirty)
|
|
SOURCE_DATE_EPOCH=$(shell git log --date=iso8601-strict -1 --pretty=%ct)
|
|
IMAGE_NAME = scorecard
|
|
OUTPUT = output
|
|
PLATFORM="linux/amd64,linux/arm64,linux/386,linux/arm"
|
|
LDFLAGS=$(shell ./scripts/version-ldflags)
|
|
|
|
|
|
|
|
############################### make help #####################################
|
|
.PHONY: help
|
|
help: ## Display this help
|
|
@awk 'BEGIN {FS = ":.*##"; \
|
|
printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ \
|
|
{ printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } \
|
|
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
|
|
|
|
###############################################################################
|
|
|
|
##@ Tools
|
|
################################ make install #################################
|
|
TOOLS_DIR := tools
|
|
TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
|
|
GOBIN := $(shell go env GOBIN)
|
|
|
|
# Golang binaries.
|
|
|
|
GOLANGCI_LINT := $(TOOLS_BIN_DIR)/golangci-lint
|
|
$(GOLANGCI_LINT): $(TOOLS_DIR)/go.mod
|
|
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint
|
|
|
|
KO := $(TOOLS_BIN_DIR)/ko
|
|
$(KO): $(TOOLS_DIR)/go.mod
|
|
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/google/ko
|
|
|
|
STUNNING_TRIBBLE := $(TOOLS_BIN_DIR)/stunning-tribble
|
|
$(STUNNING_TRIBBLE): $(TOOLS_DIR)/go.mod
|
|
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/naveensrinivasan/stunning-tribble
|
|
|
|
MOCKGEN := $(TOOLS_BIN_DIR)/mockgen
|
|
$(MOCKGEN): $(TOOLS_DIR)/go.mod
|
|
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/golang/mock/mockgen
|
|
|
|
GINKGO := $(TOOLS_BIN_DIR)/ginkgo
|
|
$(GINKGO): $(TOOLS_DIR)/go.mod
|
|
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/onsi/ginkgo/v2/ginkgo
|
|
|
|
GORELEASER := $(TOOLS_BIN_DIR)/goreleaser
|
|
$(GORELEASER): $(TOOLS_DIR)/go.mod
|
|
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install github.com/goreleaser/goreleaser
|
|
|
|
PROTOC_GEN_GO := $(TOOLS_BIN_DIR)/protoc-gen-go
|
|
$(PROTOC_GEN_GO): $(TOOLS_DIR)/go.mod
|
|
cd $(TOOLS_DIR); GOBIN=$(TOOLS_BIN_DIR) go install google.golang.org/protobuf/cmd/protoc-gen-go
|
|
|
|
# Non-Golang binaries.
|
|
# TODO: Figure out how to install these binaries automatically.
|
|
|
|
PROTOC := $(shell which protoc)
|
|
$(PROTOC):
|
|
ifeq (,$(PROTOC))
|
|
$(error download and install protobuf compiler package - https://developers.google.com/protocol-buffers/docs/downloads)
|
|
endif
|
|
|
|
# Installs required binaries into $(TOOLS_BIN_DIR) wherever possible.
|
|
# Keeping a local copy instead of a global install allows for:
|
|
# i) Controlling the binary version Scorecard depends on leading to consistent
|
|
# behavior across users.
|
|
# ii) Avoids installing a whole bunch of otherwise unnecessary tools in the user's workspace.
|
|
.PHONY: install
|
|
install: ## Installs required binaries.
|
|
install: $(GOLANGCI_LINT) \
|
|
$(KO) \
|
|
$(STUNNING_TRIBBLE) \
|
|
$(PROTOC_GEN_GO) $(PROTOC) \
|
|
$(MOCKGEN) \
|
|
$(GINKGO) \
|
|
$(GORELEASER)
|
|
|
|
###############################################################################
|
|
|
|
##@ Build
|
|
################################## make all ###################################
|
|
all: ## Runs build, test and verify
|
|
all-targets = build unit-test check-linter validate-docs add-projects validate-projects
|
|
.PHONY: all all-targets-update-dependencies $(all-targets) update-dependencies tree-status
|
|
all-targets-update-dependencies: $(all-targets) | update-dependencies
|
|
all: update-dependencies all-targets-update-dependencies tree-status
|
|
|
|
update-dependencies: ## Update go dependencies for all modules
|
|
# Update root go modules
|
|
go mod tidy && go mod verify
|
|
cd tools; go mod tidy && go mod verify; cd ../
|
|
|
|
check-linter: ## Install and run golang linter
|
|
check-linter: | $(GOLANGCI_LINT)
|
|
# Run golangci-lint linter
|
|
$(GOLANGCI_LINT) run -c .golangci.yml
|
|
|
|
add-projects: ## Adds new projects to ./cron/internal/data/projects.csv
|
|
add-projects: ./cron/internal/data/projects.csv | build-add-script
|
|
# Add new projects to ./cron/internal/data/projects.csv
|
|
./cron/internal/data/add/add ./cron/internal/data/projects.csv ./cron/internal/data/projects.new.csv
|
|
mv ./cron/internal/data/projects.new.csv ./cron/internal/data/projects.csv
|
|
|
|
validate-projects: ## Validates ./cron/internal/data/projects.csv
|
|
validate-projects: ./cron/internal/data/projects.csv | build-validate-script
|
|
# Validate ./cron/internal/data/projects.csv
|
|
./cron/internal/data/validate/validate ./cron/internal/data/projects.csv
|
|
|
|
tree-status: | all-targets-update-dependencies ## Verify tree is clean and all changes are committed
|
|
# Verify the tree is clean and all changes are commited
|
|
./scripts/tree-status
|
|
|
|
###############################################################################
|
|
|
|
################################## make build #################################
|
|
## Build all cron-related targets
|
|
build-cron: build-controller build-worker build-cii-worker \
|
|
build-shuffler build-bq-transfer build-github-server \
|
|
build-webhook build-add-script build-validate-script build-update-script
|
|
|
|
build-targets = generate-mocks generate-docs build-scorecard build-cron build-proto build-attestor
|
|
.PHONY: build $(build-targets)
|
|
build: ## Build all binaries and images in the repo.
|
|
build: $(build-targets)
|
|
|
|
build-proto: ## Compiles and generates all required protobufs
|
|
build-proto: cron/data/request.pb.go cron/data/metadata.pb.go
|
|
cron/data/request.pb.go: cron/data/request.proto | $(PROTOC) $(PROTOC_GEN_GO)
|
|
$(PROTOC) --plugin=$(PROTOC_GEN_GO) --go_out=. --go_opt=paths=source_relative cron/data/request.proto
|
|
cron/data/metadata.pb.go: cron/data/metadata.proto | $(PROTOC) $(PROTOC_GEN_GO)
|
|
$(PROTOC) --plugin=$(PROTOC_GEN_GO) --go_out=. --go_opt=paths=source_relative cron/data/metadata.proto
|
|
|
|
generate-mocks: ## Compiles and generates all mocks using mockgen.
|
|
generate-mocks: clients/mockclients/repo_client.go \
|
|
clients/mockclients/repo.go \
|
|
clients/mockclients/cii_client.go \
|
|
checks/mockclients/vulnerabilities.go \
|
|
cmd/internal/packagemanager/packagemanager_mockclient.go \
|
|
cmd/internal/nuget/nuget_mockclient.go
|
|
clients/mockclients/repo_client.go: clients/repo_client.go | $(MOCKGEN)
|
|
# Generating MockRepoClient
|
|
$(MOCKGEN) -source=clients/repo_client.go -destination=clients/mockclients/repo_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
|
|
clients/mockclients/repo.go: clients/repo.go | $(MOCKGEN)
|
|
# Generating MockRepo
|
|
$(MOCKGEN) -source=clients/repo.go -destination=clients/mockclients/repo.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
|
|
clients/mockclients/cii_client.go: clients/cii_client.go | $(MOCKGEN)
|
|
# Generating MockCIIClient
|
|
$(MOCKGEN) -source=clients/cii_client.go -destination=clients/mockclients/cii_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
|
|
checks/mockclients/vulnerabilities.go: clients/vulnerabilities.go | $(MOCKGEN)
|
|
# Generating MockCIIClient
|
|
$(MOCKGEN) -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
|
|
cmd/internal/packagemanager/packagemanager_mockclient.go: cmd/internal/packagemanager/client.go | $(MOCKGEN)
|
|
# Generating MockPackageManagerClient
|
|
$(MOCKGEN) -source=cmd/internal/packagemanager/client.go -destination=cmd/internal/packagemanager/packagemanager_mockclient.go -package=packagemanager -copyright_file=clients/mockclients/license.txt
|
|
cmd/internal/nuget/nuget_mockclient.go: cmd/internal/nuget/client.go | $(MOCKGEN)
|
|
# Generating MockNugetClient
|
|
$(MOCKGEN) -source=cmd/internal/nuget/client.go -destination=cmd/internal/nuget/nuget_mockclient.go -package=nuget -copyright_file=clients/mockclients/license.txt
|
|
|
|
generate-docs: ## Generates docs
|
|
generate-docs: validate-docs docs/checks.md
|
|
docs/checks.md: docs/checks/internal/checks.yaml docs/checks/internal/*.go docs/checks/internal/generate/*.go
|
|
# Generating checks.md
|
|
go run ./docs/checks/internal/generate/main.go docs/checks.md
|
|
|
|
validate-docs: docs/checks/internal/generate/main.go
|
|
# Validating checks.yaml
|
|
go run ./docs/checks/internal/validate/main.go
|
|
|
|
SCORECARD_DEPS = $(shell find . -iname "*.go" | grep -v tools/)
|
|
build-scorecard: ## Build Scorecard CLI
|
|
build-scorecard: scorecard
|
|
scorecard: $(SCORECARD_DEPS)
|
|
# Run go build and generate scorecard executable
|
|
CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)'
|
|
scorecard-docker: ## Build Scorecard CLI Docker image
|
|
scorecard-docker: scorecard.docker
|
|
scorecard.docker: Dockerfile $(SCORECARD_DEPS)
|
|
DOCKER_BUILDKIT=1 docker build . --file Dockerfile \
|
|
--tag $(IMAGE_NAME) && \
|
|
touch scorecard.docker
|
|
|
|
build-releaser: ## Build goreleaser for the Scorecard CLI
|
|
build-releaser: scorecard.releaser
|
|
scorecard.releaser: .goreleaser.yml $(SCORECARD_DEPS) | $(GORELEASER)
|
|
# Run go releaser on the Scorecard repo
|
|
$(GORELEASER) check && \
|
|
VERSION_LDFLAGS="$(LDFLAGS)" $(GORELEASER) release \
|
|
--snapshot --rm-dist --skip-publish --skip-sign && \
|
|
touch scorecard.releaser
|
|
|
|
CRON_CONTROLLER_DEPS = $(shell find cron/internal/ -iname "*.go")
|
|
build-controller: ## Build cron controller
|
|
build-controller: cron/internal/controller/controller
|
|
cron/internal/controller/controller: $(CRON_CONTROLLER_DEPS)
|
|
# Run go build on the cron PubSub controller
|
|
cd cron/internal/controller && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o controller
|
|
cron-controller-docker: ## Build cron controller Docker image
|
|
cron-controller-docker: cron/internal/controller/controller.docker
|
|
cron/internal/controller/controller.docker: cron/internal/controller/Dockerfile $(CRON_CONTROLLER_DEPS)
|
|
DOCKER_BUILDKIT=1 docker build . --file cron/internal/controller/Dockerfile \
|
|
--tag $(IMAGE_NAME)-batch-controller \
|
|
&& touch cron/internal/controller/controller.docker
|
|
|
|
build-worker: ## Runs go build on the cron PubSub worker
|
|
# Run go build on the cron PubSub worker
|
|
cd cron/internal/worker && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o worker
|
|
|
|
CRON_CII_DEPS = $(shell find cron/internal/ clients/ -iname "*.go")
|
|
build-cii-worker: ## Build cron CII worker
|
|
build-cii-worker: cron/internal/cii/cii-worker
|
|
cron/internal/cii/cii-worker: $(CRON_CII_DEPS)
|
|
# Run go build on the CII worker
|
|
cd cron/internal/cii && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o cii-worker
|
|
cron-cii-worker-docker: # Build cron CII worker Docker image
|
|
cron-cii-worker-docker: cron/internal/cii/cii-worker.docker
|
|
cron/internal/cii/cii-worker.docker: cron/internal/cii/Dockerfile $(CRON_CII_DEPS)
|
|
DOCKER_BUILDKIT=1 docker build . --file cron/internal/cii/Dockerfile \
|
|
--tag $(IMAGE_NAME)-cii-worker && \
|
|
touch cron/internal/cii/cii-worker.docker
|
|
|
|
CRON_SHUFFLER_DEPS = $(shell find cron/data/ cron/internal/shuffle/ -iname "*.go")
|
|
build-shuffler: ## Build cron shuffle script
|
|
build-shuffler: cron/internal/shuffle/shuffle
|
|
cron/internal/shuffle/shuffle: $(CRON_SHUFFLER_DEPS)
|
|
# Run go build on the cron shuffle script
|
|
cd cron/internal/shuffle && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o shuffle
|
|
|
|
CRON_TRANSFER_DEPS = $(shell find cron/data/ cron/config/ cron/internal/bq/ -iname "*.go")
|
|
build-bq-transfer: ## Build cron BQ transfer worker
|
|
build-bq-transfer: cron/internal/bq/data-transfer
|
|
cron/internal/bq/data-transfer: $(CRON_TRANSFER_DEPS)
|
|
# Run go build on the Copier cron job
|
|
cd cron/internal/bq && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o data-transfer
|
|
cron-bq-transfer-docker: ## Build cron BQ transfer worker Docker image
|
|
cron-bq-transfer-docker: cron/internal/bq/data-transfer.docker
|
|
cron/internal/bq/data-transfer.docker: cron/internal/bq/Dockerfile $(CRON_TRANSFER_DEPS)
|
|
DOCKER_BUILDKIT=1 docker build . --file cron/internal/bq/Dockerfile \
|
|
--tag $(IMAGE_NAME)-bq-transfer && \
|
|
touch cron/internal/bq/data-transfer.docker
|
|
|
|
build-attestor: ## Runs go build on scorecard attestor
|
|
# Run go build on scorecard attestor
|
|
cd attestor/; CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)' -o scorecard-attestor
|
|
|
|
|
|
build-attestor-docker: ## Build scorecard-attestor Docker image
|
|
build-attestor-docker:
|
|
DOCKER_BUILDKIT=1 docker build . --file attestor/Dockerfile \
|
|
--tag scorecard-attestor:latest \
|
|
--tag scorecard-atttestor:$(GIT_HASH)
|
|
|
|
TOKEN_SERVER_DEPS = $(shell find clients/githubrepo/roundtripper/tokens/ -iname "*.go")
|
|
build-github-server: ## Build GitHub token server
|
|
build-github-server: clients/githubrepo/roundtripper/tokens/server/github-auth-server
|
|
clients/githubrepo/roundtripper/tokens/server/github-auth-server: $(TOKEN_SERVER_DEPS)
|
|
# Run go build on the GitHub auth server
|
|
cd clients/githubrepo/roundtripper/tokens/server && \
|
|
CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o github-auth-server
|
|
cron-github-server-docker: ## Build GitHub token server Docker image
|
|
cron-github-server-docker: clients/githubrepo/roundtripper/tokens/server/github-auth-server.docker
|
|
clients/githubrepo/roundtripper/tokens/server/github-auth-server.docker: \
|
|
clients/githubrepo/roundtripper/tokens/server/Dockerfile $(TOKEN_SERVER_DEPS)
|
|
DOCKER_BUILDKIT=1 docker build . \
|
|
--file clients/githubrepo/roundtripper/tokens/server/Dockerfile \
|
|
--tag ${IMAGE_NAME}-github-server && \
|
|
touch clients/githubrepo/roundtripper/tokens/server/github-auth-server.docker
|
|
|
|
CRON_WEBHOOK_DEPS = $(shell find cron/internal/webhook/ cron/data/ -iname "*.go")
|
|
build-webhook: ## Build cron webhook server
|
|
build-webhook: cron/internal/webhook/webhook
|
|
cron/internal/webhook/webhook: $(CRON_WEBHOOK_DEPS)
|
|
# Run go build on the cron webhook
|
|
cd cron/internal/webhook && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o webhook
|
|
cron-webhook-docker: ## Build cron webhook server Docker image
|
|
cron-webhook-docker: cron/internal/webhook/webhook.docker
|
|
cron/internal/webhook/webhook.docker: cron/internal/webhook/Dockerfile $(CRON_WEBHOOK_DEPS)
|
|
DOCKER_BUILDKIT=1 docker build . --file cron/internal/webhook/Dockerfile \
|
|
--tag ${IMAGE_NAME}-webhook && \
|
|
touch cron/internal/webhook/webhook.docker
|
|
|
|
|
|
build-add-script: ## Runs go build on the add script
|
|
build-add-script: cron/internal/data/add/add
|
|
cron/internal/data/add/add: cron/internal/data/add/*.go cron/data/*.go cron/internal/data/projects.csv
|
|
# Run go build on the add script
|
|
cd cron/internal/data/add && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o add
|
|
|
|
build-validate-script: ## Runs go build on the validate script
|
|
build-validate-script: cron/internal/data/validate/validate
|
|
cron/internal/data/validate/validate: cron/internal/data/validate/*.go cron/data/*.go cron/internal/data/projects.csv
|
|
# Run go build on the validate script
|
|
cd cron/internal/data/validate && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o validate
|
|
|
|
build-update-script: ## Runs go build on the update script
|
|
build-update-script: cron/internal/data/update/projects-update
|
|
cron/internal/data/update/projects-update: cron/internal/data/update/*.go cron/data/*.go
|
|
# Run go build on the update script
|
|
cd cron/internal/data/update && CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)' -o projects-update
|
|
|
|
docker-targets = scorecard-docker cron-controller-docker cron-worker-docker cron-cii-worker-docker cron-bq-transfer-docker cron-webhook-docker cron-github-server-docker
|
|
.PHONY: dockerbuild $(docker-targets)
|
|
dockerbuild: $(docker-targets)
|
|
|
|
cron-worker-docker:
|
|
DOCKER_BUILDKIT=1 docker build . --file cron/internal/worker/Dockerfile --tag $(IMAGE_NAME)-batch-worker
|
|
###############################################################################
|
|
|
|
##@ Tests
|
|
################################# make test ###################################
|
|
test-targets = unit-test e2e-pat e2e-gh-token ci-e2e
|
|
.PHONY: test $(test-targets)
|
|
test: $(test-targets)
|
|
|
|
unit-test: ## Runs unit test without e2e
|
|
# Run unit tests, ignoring e2e tests
|
|
# run the go tests and gen the file coverage-all used to do the integration with codecov
|
|
SKIP_GINKGO=1 go test -race -covermode=atomic -coverprofile=unit-coverage.out -coverpkg=./... `go list ./...`
|
|
|
|
unit-test-attestor: ## Runs unit tests on scorecard-attestor
|
|
cd attestor; SKIP_GINKGO=1 go test -covermode=atomic -coverprofile=unit-coverage.out `go list ./...`; cd ..;
|
|
|
|
check-env:
|
|
ifndef GITHUB_AUTH_TOKEN
|
|
$(error GITHUB_AUTH_TOKEN is undefined)
|
|
endif
|
|
|
|
check-env-gitlab:
|
|
ifndef GITLAB_AUTH_TOKEN
|
|
$(error GITLAB_AUTH_TOKEN is undefined)
|
|
endif
|
|
|
|
e2e-pat: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to GitHub personal access token
|
|
e2e-pat: build-scorecard check-env | $(GINKGO)
|
|
# Run e2e tests. GITHUB_AUTH_TOKEN with personal access token must be exported to run this
|
|
TOKEN_TYPE="PAT" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
|
|
|
|
e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to default GITHUB_TOKEN
|
|
e2e-gh-token: build-scorecard check-env | $(GINKGO)
|
|
# Run e2e tests. GITHUB_AUTH_TOKEN set to secrets.GITHUB_TOKEN must be used to run this.
|
|
TOKEN_TYPE="GITHUB_TOKEN" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
|
|
|
|
e2e-gitlab-token: ## Runs e2e tests that require a GITLAB_TOKEN
|
|
e2e-gitlab-token: build-scorecard check-env-gitlab | $(GINKGO)
|
|
TEST_GITLAB_EXTERNAL=1 TOKEN_TYPE="GITLAB_PAT" $(GINKGO) --race -p -vv --focus '.*GitLab' ./...
|
|
|
|
e2e-gitlab: ## Runs e2e tests for GitLab only. TOKEN_TYPE is not used (since these are public APIs), but must be set to something
|
|
e2e-gitlab: build-scorecard | $(GINKGO)
|
|
TEST_GITLAB_EXTERNAL=1 TOKEN_TYPE="PAT" $(GINKGO) --race -p -vv --focus ".*GitLab" ./...
|
|
|
|
e2e-attestor: ## Runs e2e tests for scorecard-attestor
|
|
cd attestor/e2e; go test -covermode=atomic -coverprofile=e2e-coverage.out; cd ../..
|
|
|
|
###############################################################################
|
|
|
|
##@ TODO(#744)
|
|
################################## make ko-images #############################
|
|
ko-targets = scorecard-ko cron-controller-ko cron-worker-ko cron-cii-worker-ko cron-bq-transfer-ko cron-webhook-ko cron-github-server-ko
|
|
.PHONY: ko-images $(ko-targets)
|
|
ko-images: $(ko-targets)
|
|
|
|
KOCACHE_PATH=/tmp/ko
|
|
|
|
$(KOCACHE_PATH):
|
|
mkdir -p $(KOCACHE_PATH)
|
|
|
|
scorecard-ko: | $(KO) $(KOCACHE_PATH)
|
|
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
KO_DOCKER_REPO=${KO_PREFIX}/${IMAGE_NAME}
|
|
LDFLAGS="$(LDFLAGS)" \
|
|
KO_CACHE=$(KOCACHE_PATH) \
|
|
$(KO) build -B \
|
|
--sbom=none \
|
|
--platform=$(PLATFORM) \
|
|
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
|
|
github.com/ossf/scorecard/v4
|
|
|
|
cron-controller-ko: | $(KO) $(KOCACHE_PATH)
|
|
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-batch-controller \
|
|
LDFLAGS="$(LDFLAGS)" \
|
|
KOCACHE=$(KOCACHE_PATH) \
|
|
$(KO) build -B \
|
|
--push=false \
|
|
--sbom=none \
|
|
--platform=$(PLATFORM) \
|
|
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
|
|
github.com/ossf/scorecard/v4/cron/internal/controller
|
|
|
|
cron-worker-ko: | $(KO) $(KOCACHE_PATH)
|
|
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-batch-worker \
|
|
LDFLAGS="$(LDFLAGS)" \
|
|
KOCACHE=$(KOCACHE_PATH) \
|
|
$(KO) build -B \
|
|
--push=false \
|
|
--sbom=none \
|
|
--platform=$(PLATFORM) \
|
|
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
|
|
github.com/ossf/scorecard/v4/cron/internal/worker
|
|
|
|
cron-cii-worker-ko: | $(KO) $(KOCACHE_PATH)
|
|
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-cii-worker \
|
|
LDFLAGS="$(LDFLAGS)" \
|
|
KOCACHE=$(KOCACHE_PATH) \
|
|
$(KO) build -B \
|
|
--push=false \
|
|
--sbom=none \
|
|
--platform=$(PLATFORM)\
|
|
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
|
|
github.com/ossf/scorecard/v4/cron/internal/cii
|
|
|
|
cron-bq-transfer-ko: | $(KO) $(KOCACHE_PATH)
|
|
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-bq-transfer \
|
|
LDFLAGS="$(LDFLAGS)" \
|
|
KOCACHE=$(KOCACHE_PATH) \
|
|
$(KO) build -B \
|
|
--push=false \
|
|
--sbom=none \
|
|
--platform=$(PLATFORM) \
|
|
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
|
|
github.com/ossf/scorecard/v4/cron/internal/bq
|
|
|
|
cron-webhook-ko: | $(KO) $(KOCACHE_PATH)
|
|
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-cron-webhook \
|
|
LDFLAGS="$(LDFLAGS)" \
|
|
KOCACHE=$(KOCACHE_PATH) \
|
|
$(KO) build -B \
|
|
--push=false \
|
|
--sbom=none \
|
|
--platform=$(PLATFORM) \
|
|
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
|
|
github.com/ossf/scorecard/v4/cron/internal/webhook
|
|
|
|
cron-github-server-ko: | $(KO) $(KOCACHE_PATH)
|
|
KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
KO_DOCKER_REPO=${KO_PREFIX}/$(IMAGE_NAME)-github-server \
|
|
LDFLAGS="$(LDFLAGS)" \
|
|
KOCACHE=$(KOCACHE_PATH) \
|
|
$(KO) build -B \
|
|
--push=false \
|
|
--sbom=none \
|
|
--platform=$(PLATFORM) \
|
|
--tags latest,$(GIT_VERSION),$(GIT_HASH) \
|
|
github.com/ossf/scorecard/v4/clients/githubrepo/roundtripper/tokens/server
|
|
|
|
###############################################################################
|