-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 Update Scorecard API usage #336
Conversation
a9f6a91
to
bfb0b3e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some style comments and questions.
@ossf/scorecard-maintainers -- As an overarching goal, but also using this PR as context, we need to work on pull request hygiene/telling a story for future passerbys (which may include us).
Here's a quick list of questions/comments that I have:
Part of #133. Will update
golang-staging
branch to use the public imagescorecard-action
- How is the
golang-staging
branch used? - Is this well-documented?
- How does this relate to Feature: Scorecard badges #133 (enabling Scorecard badges through the scorecard GitHub Action)?
- The PR title and commit message says "Update Scorecard API usage", but it does not explain what is being changed or how it's being changed. https://github.com/kubernetes/sig-release/blob/master/CONTRIBUTING.md#contributing-code contains some pretty good guidance here.
- The additional infra changes, like the Dockerfile and cloudbuild.yaml, should be a separate commit, again explaining why they need to be added
- Is there a reason we prefer gcr.io instead of GH container registry?
- I'm not sure I agree with adding yet another Dockerfile (this was part of the reason for the direction in image: Build the
scorecard
command from this repo's wrapper instead of copying #316 and ✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions scorecard#1962)
e810343
to
c2f8f16
Compare
Codecov Report
@@ Coverage Diff @@
## main #336 +/- ##
==========================================
- Coverage 64.28% 63.88% -0.40%
==========================================
Files 4 4
Lines 210 216 +6
==========================================
+ Hits 135 138 +3
- Misses 67 69 +2
- Partials 8 9 +1
|
There is some documentation here about how
I made some updates to the
I will make another attempt at the PR description once we have reached an agreement on the overall changes.
Below answers should probably cover why these were added.
No strong reason except for personal familiarity with Google Cloud infra and that Scorecard image itself resides in GCP. Ok to use anything else.
The extra Dockerfile is only temporary (until we release the Golang code and delete any bash related code). Even today, we maintain 2 separate Dockerfiles (the second one lives in |
c2f8f16
to
e6b9506
Compare
e6b9506
to
b8a85e5
Compare
* 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 (#313) * 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 Bumps [github.com/ossf/scorecard/v4](https://github.com/ossf/scorecard) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/ossf/scorecard/releases) - [Changelog](https://github.com/ossf/scorecard/blob/main/.goreleaser.yml) - [Commits](ossf/scorecard@v4.2.0...v4.3.0) --- updated-dependencies: - dependency-name: github.com/ossf/scorecard/v4 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * options: Restore logic for publishing results Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus <foo@auggie.dev> * 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11 (#311) * 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.10 to 2.1.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@2f58583...a3a6c12) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Fix version comments Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> * 📖 docs/e2e: Add information about golang-staging branch tests (#170) Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> * 🌱 .github: Add dependency review action (#165) Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Update README.md (#319) * 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3 Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.2 to 6.9.3. - [Release notes](https://github.com/caarlos0/env/releases) - [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml) - [Commits](caarlos0/env@v6.9.2...v6.9.3) --- updated-dependencies: - dependency-name: github.com/caarlos0/env/v6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump debian from `fbaacd5` to `06a93cb` Bumps debian from `fbaacd5` to `06a93cb`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump actions/setup-go from 3.1.0 to 3.2.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@fcdc436...b22fbbc) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * ✨ Bump container hash to use scorecard v4.3.1 (#324) * Update Dockerfile * Update Dockerfile * Update README.md (#325) * Update Scorecard API usage * Add documentation for e2e tests Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Azeem Shaikh <azeems@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @azeemshaikh38!
I may have more follow-up questions, but let's get the CI checks unblocked first and foremost.
Recent changes to
scorecard-webapp
API updates how Scorecard Action should integrate with the API. This PR make the necessary updates:Along with these changes, updates how Golang Scorecard Action will be built and tested:
Dockerfile.golang
andcloudbuild.yaml
to update how Golang Action is built.e2e
tests.Part of #133.
golang-staging
branch will be deleted and need not be maintained after necessary changes to e2e tests are deployed.