Merge branch 'main' into rajbos-patch-1

ossf · Aug 1, 2023 · f086d03 · f086d03
2 parents db3b971 + 5b80fbc
commit f086d03
Show file tree

Hide file tree

Showing 11 changed files with 13 additions and 6 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -39,7 +39,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.11
+      uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.11
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +50,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.11
+      uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.11
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -64,4 +64,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.11
+      uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.11
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -39,6 +39,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.27
+        uses: github/codeql-action/upload-sarif@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.27
         with:
           sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -191,7 +191,7 @@ If possible, we will work on making this feature more flexible so we can drop th
 ### Uploading Artifacts
 The Scorecards Action uses the [artifact uploader action](https://github.com/actions/upload-artifact) to upload results in SARIF format to the Actions tab. These results are available to anybody for five days after the run to help with debugging. To disable the upload, comment out the `Upload Artifact` value in the Workflow Example.
 
-Note: if you disable this option, the results of the Scorecards Action run will be available only to maintainers (on the Security tab scanning dashboard).
+Note: if you disable this option, the results of the Scorecards Action run will be only available to people with write access or more. You can find the results on the Security tab scanning dashboard).
 
 ### Workflow Example
 

diff --git a/entrypoint/entrypoint.go b/entrypoint/entrypoint.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// Package entrypoint provides functionality to run Scorecard.
 package entrypoint
 
 import (

diff --git a/github/github.go b/github/github.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// Package github provides repo information from GitHub.
 package github
 
 import (

diff --git a/install/cli/cli.go b/install/cli/cli.go
@@ -14,6 +14,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
+// Package cli contains the root CLI command.
 package cli
 
 import (

diff --git a/install/github/github.go b/install/github/github.go
@@ -14,6 +14,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
+// Package github interacts with GitHub repos and orgs.
 package github
 
 import (

diff --git a/install/install.go b/install/install.go
@@ -14,6 +14,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
+// Package install contains functionality to install the OpenSSF Scorecard workflow.
 package install
 
 import (

diff --git a/install/options/options.go b/install/options/options.go
@@ -14,6 +14,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
+// Package options provides installation options for the scorecard action.
 package options
 
 import (

diff --git a/main.go b/main.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// Command scorecard-action is the entrypoint for the Scorecard GitHub Action.
 package main
 
 import (