Merge branch 'main' of https://github.com/kgangerlm/scorecard-gitlab …

…into commit-depth
kgangerlm · Nov 7, 2023 · 95beaaf · 95beaaf
2 parents 92a5344 + fbffff1
commit 95beaaf
Show file tree

Hide file tree

Showing 452 changed files with 53,852 additions and 9,611 deletions.
diff --git a/.codecov.yml b/.codecov.yml
@@ -5,9 +5,16 @@ codecov:
     require_ci_to_pass: yes
 
 ignore:
+  - "**/*.pb.go"
   - "cron/**/*"
   - "clients/mockclients/**/*"
-  - "attestor/command/**/*"
+  # ignoring them as these are internal tools for generating docs.
+  - "docs/**/*"
+  # this is the runner
+  - "main.go"
+  # this package is deprecated and going to be removed.
+  - "dependencydiff/**/*"
+
 coverage:
   precision: 2
   round: down
@@ -16,16 +23,15 @@ coverage:
   status:
     project:
       default:
-        enabled: true
-        # allowed to drop coverage and still result in a "success" commit status
-        threshold: null
+        informational: true
         if_not_found: success
         if_no_uploads: success
         if_ci_failed: error
     patch:
       default:
-        enabled: true
-        threshold: 90%
+        # patch coverage should be within 10% of existing coverage
+        target: auto
+        threshold: 10%
         if_not_found: success
         if_no_uploads: success
         if_ci_failed: error

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -4,12 +4,8 @@
 # the repo. Unless a later match takes precedence,
 # the following users/teams will be requested for
 # review when someone opens a pull request.
-# TODO(owners): For ease of management, this should eventually shift to a
-#               defined GitHub team instead of individual usernames
-* @azeemshaikh38 @justaugustus @laurentsimon @naveensrinivasan @spencerschrock @raghavkaul
+* @ossf/scorecard-maintainers
 
 # Docs
-# TODO(owners): For ease of management, this should eventually shift to a
-#               defined GitHub team instead of individual usernames
-*.md @olivekl
-/docs/ @olivekl
+*.md @ossf/scorecard-doc-maintainers
+/docs/ @ossf/scorecard-doc-maintainers
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -74,3 +74,10 @@ updates:
   rebase-strategy: disabled
   commit-message:
       prefix: ":seedling:"
+- package-ecosystem: docker
+  directory: "/attestor"
+  schedule:
+    interval: weekly
+  rebase-strategy: disabled
+  commit-message:
+      prefix: ":seedling:"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -52,17 +52,17 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v1
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Checkout repository
-      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v2.3.4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
 
-      uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v1
+      uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
       with:
         languages: ${{ matrix.language }}
         queries: +security-extended
@@ -74,7 +74,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v1
+      uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -88,4 +88,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v1
+      uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -22,6 +22,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034