From e66ec905fb692b0502557ad10ca40b4dea6447ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 15:03:47 -0500 Subject: [PATCH 1/7] :seedling: Bump github/codeql-action from 2.20.2 to 2.20.3 (#1227) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.20.2 to 2.20.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/004c5de30b6423267685b897a3d595e944f7fed5...46ed16ded91731b2df79a2893d3aea8e9f03b5c4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ea0f8cba..f90d453f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.11 + uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -50,7 +50,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.11 + uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -64,4 +64,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.11 + uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.11 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 19cd19a9..70217338 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,6 +39,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@004c5de30b6423267685b897a3d595e944f7fed5 # v2.1.27 + uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.27 with: sarif_file: results.sarif From 465bd9b3ec8e2b64fda38cf25918c92404585b3b Mon Sep 17 00:00:00 2001 From: Rob Bos Date: Tue, 11 Jul 2023 22:16:20 +0200 Subject: [PATCH 2/7] Update README.md (#1229) Signed-off-by: Rob Bos --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2367e8b0..eedd12b8 100644 --- a/README.md +++ b/README.md @@ -191,7 +191,7 @@ If possible, we will work on making this feature more flexible so we can drop th ### Uploading Artifacts The Scorecards Action uses the [artifact uploader action](https://github.com/actions/upload-artifact) to upload results in SARIF format to the Actions tab. These results are available to anybody for five days after the run to help with debugging. To disable the upload, comment out the `Upload Artifact` value in the Workflow Example. -Note: if you disable this option, the results of the Scorecards Action run will be available only to maintainers (on the Security tab scanning dashboard). +Note: if you disable this option, the results of the Scorecards Action run will be only available to people with write access or more. You can find the results on the Security tab scanning dashboard). ### Workflow Example From 3f76786b28841ee551f2387b4cc51ebe2cda4112 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jul 2023 12:05:00 -0500 Subject: [PATCH 3/7] :seedling: Bump github/codeql-action from 2.20.3 to 2.20.4 (#1232) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.20.3 to 2.20.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/46ed16ded91731b2df79a2893d3aea8e9f03b5c4...489225d82a57396c6f426a40e66d461b16b3461d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f90d453f..326d9a51 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.11 + uses: github/codeql-action/init@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -50,7 +50,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.11 + uses: github/codeql-action/autobuild@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -64,4 +64,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.11 + uses: github/codeql-action/analyze@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.11 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 70217338..1efa35ee 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,6 +39,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.1.27 + uses: github/codeql-action/upload-sarif@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.27 with: sarif_file: results.sarif From fc268b13a8e514322ba05e124eb75f88ac3a1b51 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Wed, 19 Jul 2023 08:17:27 -0700 Subject: [PATCH 4/7] :book: Add package comments. (#1221) * Add package comments. --------- Signed-off-by: Spencer Schrock Signed-off-by: Stephen Augustus Co-authored-by: Stephen Augustus --- entrypoint/entrypoint.go | 1 + github/github.go | 1 + install/cli/cli.go | 1 + install/github/github.go | 1 + install/install.go | 1 + install/options/options.go | 1 + main.go | 1 + 7 files changed, 7 insertions(+) diff --git a/entrypoint/entrypoint.go b/entrypoint/entrypoint.go index df5c6148..8464c2f7 100644 --- a/entrypoint/entrypoint.go +++ b/entrypoint/entrypoint.go @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +// Package entrypoint provides functionality to run Scorecard. package entrypoint import ( diff --git a/github/github.go b/github/github.go index 464d020f..28590265 100644 --- a/github/github.go +++ b/github/github.go @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +// Package github provides repo information from GitHub. package github import ( diff --git a/install/cli/cli.go b/install/cli/cli.go index 2bc76553..eacee839 100644 --- a/install/cli/cli.go +++ b/install/cli/cli.go @@ -14,6 +14,7 @@ // // SPDX-License-Identifier: Apache-2.0 +// Package cli contains the root CLI command. package cli import ( diff --git a/install/github/github.go b/install/github/github.go index 32cfc987..7fe30347 100644 --- a/install/github/github.go +++ b/install/github/github.go @@ -14,6 +14,7 @@ // // SPDX-License-Identifier: Apache-2.0 +// Package github interacts with GitHub repos and orgs. package github import ( diff --git a/install/install.go b/install/install.go index 93f311eb..712079a4 100644 --- a/install/install.go +++ b/install/install.go @@ -14,6 +14,7 @@ // // SPDX-License-Identifier: Apache-2.0 +// Package install contains functionality to install the OpenSSF Scorecard workflow. package install import ( diff --git a/install/options/options.go b/install/options/options.go index e402e3ce..e728b337 100644 --- a/install/options/options.go +++ b/install/options/options.go @@ -14,6 +14,7 @@ // // SPDX-License-Identifier: Apache-2.0 +// Package options provides installation options for the scorecard action. package options import ( diff --git a/main.go b/main.go index c15219e5..6aac0161 100644 --- a/main.go +++ b/main.go @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +// Command scorecard-action is the entrypoint for the Scorecard GitHub Action. package main import ( From e31ee1a2fae3094a574c53d9f28a824668bcd12c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jul 2023 21:31:34 +0000 Subject: [PATCH 5/7] :seedling: Bump step-security/harden-runner from 2.4.1 to 2.5.0 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.4.1 to 2.5.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/55d479fb1c5bcad5a4f9099a5d9f37c8857b2845...cba0d00b1fc9a034e1e642ea0f1103c282990604) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b07aa616..061e61c6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs From b45bfe698803b7f0a672c4d3e020bfbc89a5e66d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 12:49:33 +0000 Subject: [PATCH 6/7] :seedling: Bump github/codeql-action from 2.20.4 to 2.21.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.20.4 to 2.21.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/489225d82a57396c6f426a40e66d461b16b3461d...1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 326d9a51..87910cfd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.11 + uses: github/codeql-action/init@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -50,7 +50,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.11 + uses: github/codeql-action/autobuild@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -64,4 +64,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.11 + uses: github/codeql-action/analyze@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.11 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 1efa35ee..3bc69db0 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,6 +39,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@489225d82a57396c6f426a40e66d461b16b3461d # v2.1.27 + uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.27 with: sarif_file: results.sarif From 5b80fbcd5192a8e7e6286aa8f8edd261f73c3049 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:21:15 -0700 Subject: [PATCH 7/7] :seedling: Bump github/codeql-action from 2.21.0 to 2.21.2 (#1239) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.0 to 2.21.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8...0ba4244466797eb048eb91a6cd43d5c03ca8bd05) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 87910cfd..b5a121ab 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.11 + uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -50,7 +50,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.11 + uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -64,4 +64,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.11 + uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.11 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3bc69db0..e376eb65 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,6 +39,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.1.27 + uses: github/codeql-action/upload-sarif@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.1.27 with: sarif_file: results.sarif