-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Move "EnforcesAdmins" to tier 5 Branch-Protection #3502
Merged
spencerschrock
merged 3 commits into
ossf:main
from
spencerschrock:branch-protection/move-enforce-admin
Sep 25, 2023
Merged
✨ Move "EnforcesAdmins" to tier 5 Branch-Protection #3502
spencerschrock
merged 3 commits into
ossf:main
from
spencerschrock:branch-protection/move-enforce-admin
Sep 25, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1. The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them. Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
spencerschrock
temporarily deployed
to
gitlab
September 20, 2023 21:44
— with
GitHub Actions
Inactive
spencerschrock
temporarily deployed
to
integration-test
September 20, 2023 21:44
— with
GitHub Actions
Inactive
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3502 +/- ##
==========================================
- Coverage 74.33% 66.95% -7.38%
==========================================
Files 188 188
Lines 13444 13425 -19
==========================================
- Hits 9993 8989 -1004
- Misses 2890 3937 +1047
+ Partials 561 499 -62 |
spencerschrock
requested review from
azeemshaikh38,
justaugustus,
laurentsimon,
naveensrinivasan and
raghavkaul
as code owners
September 25, 2023 14:05
laurentsimon
approved these changes
Sep 25, 2023
spencerschrock
temporarily deployed
to
gitlab
September 25, 2023 18:58
— with
GitHub Actions
Inactive
spencerschrock
temporarily deployed
to
integration-test
September 25, 2023 18:59
— with
GitHub Actions
Inactive
1 task
ashearin
pushed a commit
to kgangerlm/scorecard-gitlab
that referenced
this pull request
Nov 13, 2023
* Remove EnforceAdmins from tier 1. Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1. The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them. Signed-off-by: Spencer Schrock <[email protected]> * move enforce admins to tier 5. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
cx-monicac
added a commit
to SCS-Micro-Engines/scorecard-cx
that referenced
this pull request
Feb 28, 2024
* :seedling: Remove go.mod replaces (#3440) * remove old replace directives. Signed-off-by: Spencer Schrock <[email protected]> * Remove dgrijalva/jwt-go replace. Project now maintained at github.com/golang-jwt/jwt. So it's unused. Signed-off-by: Spencer Schrock <[email protected]> * remove replace on unused github.com/buger/jsonparser Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/gorilla/handlers replace. Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/miekg/dns Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/ulikunitz/xz Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/satori/go.uuid Signed-off-by: Spencer Schrock <[email protected]> * replace directive no longer needed for github.com/opencontainers/image-spec. Signed-off-by: Spencer Schrock <[email protected]> * potentially unneeded replace for github.com/emicklei/go-restful Signed-off-by: Spencer Schrock <[email protected]> * potentially unneeded replace for github.com/docker/distribution Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Bump actions/cache from 3.3.1 to 3.3.2 (#3463) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8...704facf57e6136b1bc63b828d79edcd491f0ee84) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#3459) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/0b7f8abb1508181956e8e162db84b466c27e18ce...a8a3f3ad30e3422c9c7b888a15615d19a852ae32) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#3461) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.8 to 3.1.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f6fff72a3217f580d5afd49a46826795305b63c7...6c5ccdad469c9f8a2996bfecaec55a631a347034) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.0.0 to 39.0.2 (#3470) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.0 to 39.0.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/48566bbcc22ceb7c5809ebdd27377309f2c3de8c...6ee9cdc5816333acda68e01cf12eedc619e28316) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3467) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.54.0 to 1.55.0 (#3471) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.54.0...bigquery/v1.55.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ✨ Support Branch-Protection via GitHub Repository Rules (#3354) * repo rulesets via v4 api Signed-off-by: Peter Wagner <[email protected]> * good enough fnmatch implementation. Signed-off-by: Spencer Schrock <[email protected]> * good enough rulesMatchingBranch Signed-off-by: Peter Wagner <[email protected]> * apply matching repo rules to branch protection settings Signed-off-by: Peter Wagner <[email protected]> * rules: consider admins and require checks Signed-off-by: Peter Wagner <[email protected]> * non-structural chanages from PR feedback Signed-off-by: Peter Wagner <[email protected]> * fetch default branch name during repo rules query Signed-off-by: Peter Wagner <[email protected]> * Testing applyRepoRules Tests assume a single rule is being applied to a branch, which might be guarded by a legacy branch protection rule. I think this logic gets problematic when there are multiple rules overlaid on the same branch: the "the existing rules does not enforce for admins, but i do and therefore this branch now does" will give false-positives. Signed-off-by: Peter Wagner <[email protected]> * Test_applyRepoRules: builder and standardize names Signed-off-by: Peter Wagner <[email protected]> * attempt to upgrade/downgrade EnforceAdmins as each rule is applied Signed-off-by: Peter Wagner <[email protected]> * simplify enforce admin for now. Signed-off-by: Spencer Schrock <[email protected]> * handle merging pull request reviews Signed-off-by: Spencer Schrock <[email protected]> * handle merging check rules Signed-off-by: Spencer Schrock <[email protected]> * handle last push approval Signed-off-by: Spencer Schrock <[email protected]> * handle linear history Signed-off-by: Spencer Schrock <[email protected]> * use constants for github rule types. Signed-off-by: Spencer Schrock <[email protected]> * add status check test. Signed-off-by: Spencer Schrock <[email protected]> * add e2e test for repo rules. Signed-off-by: Spencer Schrock <[email protected]> * handle nil branch name data Signed-off-by: Spencer Schrock <[email protected]> * add tracking issue. Signed-off-by: Spencer Schrock <[email protected]> * fix precedence in if statement Signed-off-by: Spencer Schrock <[email protected]> * include repo rules in the check docs. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Peter Wagner <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> * 🌱 workflows/stale: Update workflow to increase operations-per-run to process more issues (#3483) * Update workflow to increase operations per run to process more issues * 🌱 workflows/stale: Increased operations-per-run from default and reduced days to close stale issues * Update URI() for GitLab repos. Add fuzzing test (#3477) Signed-off-by: Raghav Kaul <[email protected]> * :bug: Print Info in Empty Repo Scans (#3426) * issue 2157 changes Signed-off-by: leec94 <[email protected]> * incorporated feedback Signed-off-by: leec94 <[email protected]> * making the linter happy Signed-off-by: leec94 <[email protected]> * changing to local variable, testing still not working Signed-off-by: leec94 <[email protected]> * update tests to ignore date Signed-off-by: leec94 <[email protected]> * ran through linter Signed-off-by: leec94 <[email protected]> * resolving suggestions Signed-off-by: leec94 <[email protected]> --------- Signed-off-by: leec94 <[email protected]> * :seedling: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 (#3478) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.6.0 to 5.0.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/5fdedb94abba051217030cc86d4523cf3f02243d...7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.9.0 (#3479) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.1 to 5.9.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.8.1...v5.9.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/osv-scanner from 1.3.6 to 1.4.0 (#3481) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.6 to 1.4.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.6...v1.4.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.0.2 to 39.1.0 (#3488) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.2 to 39.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/6ee9cdc5816333acda68e01cf12eedc619e28316...8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :book: Add webviewer link (#3490) * Update README.md Add link to webviewer * Update faq.md Update webviewer link in FAQ * Update README.md Typo * Update faq.md Linebreak * 🌱 workflows/stale: Remove issue auto-close (#3493) * :seedling: Reduce confusion around codecov check status. (#3492) With our current upload setup, it will always show a drop of 6-7%. This is confusing to contributors, so make the check always pass. Also fixes the threshold for the patch coverage. Signed-off-by: Spencer Schrock <[email protected]> * :book: Add gitlab links to viewer example (#3494) * Update README.md Signed-off-by: olivekl <[email protected]> * Update faq.md Signed-off-by: olivekl <[email protected]> --------- Signed-off-by: olivekl <[email protected]> * :bug: Fix npe for GitLab repos without license API data (#3500) Signed-off-by: Raghav Kaul <[email protected]> * :seedling: Bump tj-actions/changed-files from 39.1.0 to 39.1.2 (#3504) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.0 to 39.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d...41960309398d165631f08c5df47a11147e14712b) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/checkout from 4.0.0 to 4.1.0 (#3511) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/3df4ab11eba7bda6032a0b82a6bb43b11571feac...8ade135a41bc03ea155e62e844d188df1ea18608) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :sparkles: scdiff: add basic stats command to count scores by buckets (#3458) * wip Signed-off-by: Spencer Schrock <[email protected]> * output via tabwriter Signed-off-by: Spencer Schrock <[email protected]> * specify by check. Signed-off-by: Spencer Schrock <[email protected]> * Return aggregate score when unmarshalling. Signed-off-by: Spencer Schrock <[email protected]> * convert from score to bucket in one place. use aggregate score from func Signed-off-by: Spencer Schrock <[email protected]> * fix forgotten usage of ExperimentalFromJSON2 Signed-off-by: Spencer Schrock <[email protected]> * use sentinel errors. Signed-off-by: Spencer Schrock <[email protected]> * move counting to own func for testability Signed-off-by: Spencer Schrock <[email protected]> * remove unneeded fields from results for readability. Signed-off-by: Spencer Schrock <[email protected]> * add test for parse errors. Signed-off-by: Spencer Schrock <[email protected]> * share max result size for any bufio.Scanner which reads results. Signed-off-by: Spencer Schrock <[email protected]> * add basic overall test for calcing stats. Signed-off-by: Spencer Schrock <[email protected]> * make missing file argument generic. Signed-off-by: Spencer Schrock <[email protected]> * validate min args with cobra. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Switch test import to remove gotest.tools dependency. (#3501) Signed-off-by: Spencer Schrock <[email protected]> * :bug: Set repo commit SHA in results after fetching successfully. (#3514) Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Don't close stale issues explicitly (#3513) Issues are still getting closed after https://github.com/ossf/scorecard/pull/3493. I assume there's a default value being used somewhere. Signed-off-by: Spencer Schrock <[email protected]> * :sparkles: Move "EnforcesAdmins" to tier 5 Branch-Protection (#3502) * Remove EnforceAdmins from tier 1. Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1. The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them. Signed-off-by: Spencer Schrock <[email protected]> * move enforce admins to tier 5. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :bug: Pinned-Dependencies: only score detected ecosystems (#3436) * feat: Define if dependency is pinned or unpinned Add a field Pinned to Dependency structure. Update to save Dependencies pinned and unpinned. Not only unpinned ones. All download then run executions are considered unpinned. Because there is no remediation to pin them. For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned. Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned. Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Convert diff var types to pointer We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Pinned Dependency field type Field needs to be a pointer to work when accessing values on evaluation. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Count pinned and unpinned deps We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Flag not applicable ecossystems If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Score only applicable ecossystems Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: If no dependencies then create inconclusive score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: GitHub Actions score and logs Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Pinned dependencies score Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Ecossystems score and logs Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Remove deleted maxScore function test When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Adding GitHub Actions dependencies to result Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Update GitHub Actions result Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Update pip installs result Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Handle if nuget dependency is pinned or unpinned Signed-off-by: Gabriela Gutierrez <[email protected]> * tests: Fix check warnings for unpinned dependencies Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: GitHub Actions pinned log If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e" The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs. Signed-off-by: Gabriela Gutierrez <[email protected]> * Revert rename `asPointer` to `asStringPointer` Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Handle deps with parsing error and undefined pinning When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Delete unecessary test We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Add missing dep Location cases Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Simplify Dockerfile pinned as name logic Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: If ecossystem is not found show debug log If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix e2e tests and more unit tests Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Iterate all dependency types for final score Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Proportional score We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: GHA weights in proportional score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix scores and logs checking Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix e2e test The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore. Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Rename to ProportionalScoreWeighted Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Var declarations to create proportional score Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Remove unnecessary pointer Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Dependencies priority declaration Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Ecosystem spelling Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Handle 0 weight and 0 total when creating proportional weighted score Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Revert -d flag identification change Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: npm ci command is npm download and is pinned Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Unexport error variable to other packages Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Simplify no score groups condition Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Log proportion of dependencies pinned Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix unit tests to include info logs The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix e2e tests to include info logs The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter error Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> * :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3497) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 (#3496) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.91.1 to 0.92.1 (#3517) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.91.1 to 0.92.1. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.91.1...v0.92.1) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 📖 Update docs for Signed-Releases check (#3469) * Update docs for signed-releases Signed-off-by: Raghav Kaul <[email protected]> * update docs Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: Raghav Kaul <[email protected]> * :seedling: Bump github.com/rhysd/actionlint from 1.6.15 to 1.6.26 (#3489) * bump actionlint. Signed-off-by: Spencer Schrock <[email protected]> * fix unit tests. Signed-off-by: Spencer Schrock <[email protected]> * include latest update. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 (#3523) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.10...v1.28.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ✨ Add --output argument to write results to file (#3482) * feat: Create output file argument Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Write results to output file Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Default results format output Print results headline to output, which may be a file. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Log start and end of checks work to console Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix options unit tests Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Output option content and shorthand Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Output to file with correct format Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix helper function with linter error Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Define output to console or file inside FormatResults Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Remove intermediate variable to define output Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix error log Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Close output file before write results Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix unit test Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix remove file even if test fails Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix fail test cases Fail test if cannot format results or cannot read real or expected outputs. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Copyright notice year and license header spacing Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Rename Output to ResultsFile Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <[email protected]> * Revert "feat: Log start and end of checks work to console" This reverts commit c4a00a5ca7268d91940dd2784277373e630fcad2. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Print results headline in default format Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix default format result test Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Close output only when it's file Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter error Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> * :seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (#3532) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/8ca2b8b2ece13480cda6dacd3511b49857a23c09...1b05615854632b887b69ae1be8cbefe72d3ae423) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.1.2 to 39.2.1 (#3531) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/41960309398d165631f08c5df47a11147e14712b...db153baf731265ad02cd490b07f470e2d55e3345) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Fix race condition in output file test. (#3533) Signed-off-by: Spencer Schrock <[email protected]> * :book: Fix documentation typos (#3505) * fix typo Signed-off-by: omahs <[email protected]> * fix typos Signed-off-by: omahs <[email protected]> * fix typo Signed-off-by: omahs <[email protected]> * fix typo Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: omahs <[email protected]> * fix typos Signed-off-by: omahs <[email protected]> --------- Signed-off-by: omahs <[email protected]> * :sparkles: broaden job matcher for semantic release (#3506) * feat: broaden job matcher for semantic release Signed-off-by: secustor <[email protected]> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <[email protected]> --------- Signed-off-by: secustor <[email protected]> * :seedling: Bump nick-invision/retry from 2.8.3 to 2.9.0 (#3519) Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0. - [Release notes](https://github.com/nick-invision/retry/releases) - [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js) - [Commits](https://github.com/nick-invision/retry/compare/943e742917ac94714d2f408a0e8320f2d1fcafcd...14672906e672a08bd6eeb15720e9ed3ce869cdd4) --- updated-dependencies: - dependency-name: nick-invision/retry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.92.1 to 0.92.3 (#3528) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.1...v0.92.3) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/otiai10/copy from 1.12.0 to 1.14.0 (#3527) Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](https://github.com/otiai10/copy/compare/v1.12.0...v1.14.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/osv-scanner from 1.4.0 to 1.4.1 (#3536) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.92.3 to 0.93.0 (#3537) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.3...v0.93.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :sparkles: scdiff: Limit generating results to specific checks (#3535) * accept checks arg when generating golden. Signed-off-by: Spencer Schrock <[email protected]> * dont shadow import Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Add probe test utility (#3541) Signed-off-by: AdamKorcz <[email protected]> * :seedling: Sort fields of raw results alphabetically (#3540) Signed-off-by: AdamKorcz <[email protected]> Co-authored-by: laurentsimon <[email protected]> * :seedling: Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#3544) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/08b4669551908b1024bb425080c797723083c031...483ef80eb98fb506c348f7d62e28055e49fe2398) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (#3545) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0. - [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.93.0 to 0.93.1 (#3546) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.0 to 0.93.1. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.0...v0.93.1) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump distroless/base from `27647a6` to `29da700` and golang from `ec457a2` to `e9ebfe9` (#3548) * bump distroless. Signed-off-by: Spencer Schrock <[email protected]> * bump golang 1.21 Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Bump cloud.google.com/go/bigquery from 1.55.0 to 1.56.0 (#3538) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.55.0 to 1.56.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.55.0...bigquery/v1.56.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Add OutcomeNotApplicable (#3539) Signed-off-by: AdamKorcz <[email protected]> * :sparkles: Add additional fuzzing probes (#3473) * Extend with additional fuzzing probes Signed-off-by: David Korczynski <[email protected]> * fix formatting Signed-off-by: David Korczynski <[email protected]> * cleanup formatting Signed-off-by: David Korczynski <[email protected]> * make skip testing optional Signed-off-by: David Korczynski <[email protected]> * address reviews Signed-off-by: David Korczynski <[email protected]> * add todo Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * add swift fuzzing probe Signed-off-by: David Korczynski <[email protected]> * avoid changing OnMatchingFileContentDo Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * undo matching file content extension Signed-off-by: David Korczynski <[email protected]> * nit: fix constant Signed-off-by: David Korczynski <[email protected]> * test all fileMatchPatterns per client Signed-off-by: David Korczynski <[email protected]> * fix test logging counts Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> --------- Signed-off-by: David Korczynski <[email protected]> * :book: fix "default" typo (#3543) Signed-off-by: guoguangwu <[email protected]> * :seedling: checks/raw: fix struct alignment linter issue (#3550) Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Add map to Finding (#3558) Signed-off-by: AdamKorcz <[email protected]> * :seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (#3563) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0. - [Commits](https://github.com/golang/net/compare/v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump golang.org/x/net from 0.14.0 to 0.17.0 in /tools (#3562) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.17.0. - [Commits](https://github.com/golang/net/compare/v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Adding all Intel public GitHub repos (#3556) Signed-off-by: Ryan Ware <[email protected]> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 (#3551) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3552) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#3557) Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump kubernetes-sigs/kubebuilder-release-tools (#3553) Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/kubebuilder-release-tools/compare/4f3d1085b4458a49ed86918b4b55505716715b77...d8367c29de8af903319d3a76de2436672515729b) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :bug: Fix wrong quotes (#3565) Signed-off-by: AdamKorcz <[email protected]> * :seedling: Add new outcome to UnmarshalYAML (#3566) Signed-off-by: AdamKorcz <[email protected]> * :bug: scdiff: fix generate cmd when no --checks arg provided. (#3570) Signed-off-by: Spencer Schrock <[email protected]> * :sparkles: scdiff: improve `compare` usability (#3573) * fallback to cron style when parsing dates. The cron output was never updated in #2712. In the interim, support both formats. Signed-off-by: Spencer Schrock <[email protected]> * continue on first diff, to highlight all differences. Signed-off-by: Spencer Schrock <[email protected]> * tests for date fallback. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :sparkles: Add fast-check test runners integrations (#3568) Signed-off-by: Pierre Cavin <[email protected]> * :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3575) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.7.0...v2.8.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.2.1 to 39.2.3 (#3577) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.1 to 39.2.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/db153baf731265ad02cd490b07f470e2d55e3345...95690f9ece77c1740f4a55b7f1de9023ed6b1f87) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/ko from 0.14.1 to 0.15.0 in /tools (#3578) Bumps [github.com/google/ko](https://github.com/google/ko) from 0.14.1 to 0.15.0. - [Release notes](https://github.com/google/ko/releases) - [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/ko/compare/v0.14.1...v0.15.0) --- updated-dependencies: - dependency-name: github.com/google/ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/checkout from 4.1.0 to 4.1.1 (#3580) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :bug: SAST detect new GitHub app slug for CodeQL (#3591) * Fix SAST no longer working for CodeQL The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits. Signed-off-by: martincostello <[email protected]> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <[email protected]> --------- Signed-off-by: martincostello <[email protected]> * :seedling: enable the golangci-lint `bugs` preset (#3583) * enable bugs preset Signed-off-by: Spencer Schrock <[email protected]> * fix noctx linter Signed-off-by: Spencer Schrock <[email protected]> * fix bodyclose linter Signed-off-by: Spencer Schrock <[email protected]> * fix contextcheck linter Signed-off-by: Spencer Schrock <[email protected]> * This ignores all existing cases of musttag linter complaints. This analyzer seems useful in the future, but some of this code is old and I don't want to change it for existing code now. Signed-off-by: Spencer Schrock <[email protected]> * ignore existing nilerr lints. This behavior is from the initial commit, and primarily affects metrics. Leaving as is, and hope to benefit from the linter in the future. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: use forbidigo linter to prevent print statements (#3585) * enable forbidigo for print statements. include reasoning as message exposed to developer. Signed-off-by: Spencer Schrock <[email protected]> * remove or grant exceptions for existing print statements Signed-off-by: Spencer Schrock <[email protected]> * swap stdout to stderr Signed-off-by: Spencer Schrock <[email protected]> * separate msg from regex for better readability. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :bug: scanning gitlab private repositories (#3596) * fix: Run for gitlab private repos Signed-off-by: Gabriela Gutierrez <[email protected]> * test: gitlab repo is accessible Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: linter error Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Co-authored-by: Raghav Kaul <[email protected]> * :seedling: Bump github.com/xanzy/go-gitlab from 0.93.1 to 0.93.2 (#3593) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.1 to 0.93.2. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.1...v0.93.2) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/onsi/gomega from 1.28.0 to 1.28.1 (#3597) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.0 to 1.28.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.28.0...v1.28.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: add style linters: mirror, tenv, usestdlibvars (#3586) * fix tenv linter and bug with t.Parallel Signed-off-by: Spencer Schrock <[email protected]> * fix usestdlibvars linter Signed-off-by: Spencer Schrock <[email protected]> * fix mirror linter Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: enable gomoddirectives linter. (#3584) Signed-off-by: Spencer Schrock <[email protected]> * :seedling: enable style linter `errname` (#3587) * enable errname linter Signed-off-by: Spencer Schrock <[email protected]> * convert publish err to custom error type. Signed-off-by: Spencer Schrock <[email protected]> * remove unused exported error. Signed-off-by: Spencer Schrock <[email protected]> * convert unsupported exporter type to custom error type. Signed-off-by: Spencer Schrock <[email protected]> * exempt public errors from linter. Signed-off-by: Spencer Schrock <[email protected]> * exempt cron config errors from linter. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> * :seedling: remove unused osv helper tool. (#3572) This is a followup cleanup of d4b44e52eb9a104949f617a62cf47291d1ea2d99 (#2303). Signed-off-by: Spencer Schrock <[email protected]> * :seedling: Bump github.com/golangci/golangci-lint in /tools (#3592) Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.54.2 to 1.55.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: GitLab: track coverage for gitlab e2e tests (#3601) Signed-off-by: Raghav Kaul <[email protected]> * :seedling: Add license probe (#3465) * :seedling: Add license probe Signed-off-by: AdamKorcz <[email protected]> * [WIP] add two remaining license checks as probes Signed-off-by: AdamKorcz <[email protected]> * fix nits Signed-off-by: AdamKorcz <[email protected]> * Use Errorf in test Signed-off-by: AdamKorcz <[email protected]> * use zrunner Signed-off-by: AdamKorcz <[email protected]> * fix wrong return value Signed-off-by: AdamKorcz <[email protected]> * fix linting issues and remove empty default Signed-off-by: AdamKorcz <[email protected]> * fix double if statement Signed-off-by: AdamKorcz <[email protected]> * Remove struct field from test Signed-off-by: AdamKorcz <[email protected]> * Add test for nil-case of license files slice Signed-off-by: AdamKorcz <[email protected]> * rewrite multiple def.ymls Signed-off-by: AdamKorcz <[email protected]> * fix nits Signed-off-by: AdamKorcz <[email protected]> * Add unit test with multiple unapproved license files Signed-off-by: AdamKorcz <[email protected]> * Add link to approved license formats Signed-off-by: AdamKorcz <[email protected]> * fix linting Signed-off-by: AdamKorcz <[email protected]> * remove comment Signed-off-by: AdamKorcz <[email protected]> * preserve logging from original check Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * remove redundant map manipulation Signed-off-by: AdamKorcz <[email protected]> * rename hasApproveLicense probe Signed-off-by: AdamKorcz <[email protected]> * Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license Signed-off-by: AdamKorcz <[email protected]> * Include license file locations in log Signed-off-by: AdamKorcz <[email protected]> * fix linting issues Signed-off-by: AdamKorcz <[email protected]> * replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe Signed-off-by: AdamKorcz <[email protected]> * Fix linter issue Signed-off-by: AdamKorcz <[email protected]> * Include location of found license files Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> * 🌱 convert packaging check to probe (#3486) * :seedling: convert packaging check to probe Signed-off-by: AdamKorcz <[email protected]> * amend text in def.yml Signed-off-by: AdamKorcz <[email protected]> * Correct short description in def.yml Signed-off-by: AdamKorcz <[email protected]> * log negative findings Signed-off-by: AdamKorcz <[email protected]> * rename probe Signed-off-by: AdamKorcz <[email protected]> * Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements Signed-off-by: AdamKorcz <[email protected]> * change score text Signed-off-by: AdamKorcz <[email protected]> * include file details. process all packaging workflows Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> * :seedling: Add probe support for contributors metrics (#3460) * :seedling: Add probe support for cont…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
half bug fix, half feature?
What is the current behavior?
The
EnforcesAdmin
setting is an admin only setting when configured via Branch-Protection.Under repo rules, the setting is available via Bypass Actors (although we can't see who the bypass actor is).
As this setting is currently in tier 1, repos which declare any bypass actors will be limited to a score of 2 in tier 1.
Given the lack of visibility we have into exactly how it's configured, I don't think we should penalize repos to stay in tier 1. For example, https://github.com/abcxyz/pkg enforces its repo rules on its admins, but it does have a bypass actor defined for break glass scenarios.
What is the new behavior (if this is a feature change)?**
The setting is moved to tier 5 (the "admin thorough review" level), so repos will still get credit for some of the other branch protections they do.
Which issue(s) this PR fixes
NONE
Special notes for your reviewer
We may run into more situations like this, as all "for administrators" settings will start to influence score calculation. I prioritized this one, as it was tier 1.
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)