Merge branch 'main' into beginnerchecks

ossf · Nov 29, 2023 · 06ff816 · 06ff816
2 parents cfa1a9a + 0e7e58a
commit 06ff816
Show file tree

Hide file tree

Showing 257 changed files with 6,692 additions and 2,423 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -4,12 +4,8 @@
 # the repo. Unless a later match takes precedence,
 # the following users/teams will be requested for
 # review when someone opens a pull request.
-# TODO(owners): For ease of management, this should eventually shift to a
-#               defined GitHub team instead of individual usernames
-* @azeemshaikh38 @justaugustus @laurentsimon @naveensrinivasan @spencerschrock @raghavkaul
+* @ossf/scorecard-maintainers
 
 # Docs
-# TODO(owners): For ease of management, this should eventually shift to a
-#               defined GitHub team instead of individual usernames
-*.md @olivekl
-/docs/ @olivekl
+*.md @ossf/scorecard-doc-maintainers
+/docs/ @ossf/scorecard-doc-maintainers
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -19,10 +19,19 @@ updates:
 - package-ecosystem: "github-actions"
   directory: "/"
   schedule:
-      interval: "daily"
+      interval: "weekly"
   rebase-strategy: disabled
   commit-message:
       prefix: ":seedling:"
+  groups:
+    github-actions:
+      patterns:
+        - "*"
+      # These actions directly influence the build process and are excluded from grouped updates
+      exclude-patterns:
+        - "actions/setup-go"
+        - "arduino/setup-protoc"
+        - "goreleaser/goreleaser-action"
 - package-ecosystem: docker
   directory: "/"
   schedule:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -52,7 +52,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 

diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034
+        uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -40,7 +40,7 @@ jobs:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 #v39.2.3
+      uses: tj-actions/changed-files@25ef3926d147cd02fc7e931c1ef50772bbb0d25d #v40.1.1
       with:
         files_ignore: '**.md'
     - id: docs_only_check
@@ -70,7 +70,7 @@ jobs:
     steps:
      - name: Harden Runner
        if: (needs.docs_only_check.outputs.docs_only != 'true')
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Clone the code

diff --git a/.github/workflows/gitlab.yml b/.github/workflows/gitlab.yml
@@ -33,7 +33,7 @@ jobs:
     environment: gitlab
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - name: Clone the code

diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -86,7 +86,7 @@ jobs:
     permissions: read-all
     steps:
       - name: Install the verifier
-        uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.4.1
 
       - name: Download assets
         env:

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -44,7 +44,7 @@ jobs:
     needs: [approve]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - name: Clone the code

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -19,7 +19,7 @@ jobs:
     name: check-linter
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -37,7 +37,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Clone the code
@@ -95,7 +95,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -143,7 +143,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Clone the code
@@ -172,7 +172,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -221,7 +221,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Cache builds
@@ -260,7 +260,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -303,7 +303,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Install Protoc
@@ -349,7 +349,7 @@ jobs:
       contents: read
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -384,7 +384,7 @@ jobs:
       contents: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 

diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml
@@ -35,7 +35,7 @@ jobs:
       COSIGN_EXPERIMENTAL: "true"
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -61,7 +61,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
+       uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
      - name: Sign image
        run: |
           cosign sign --yes ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}
diff --git a/.github/workflows/scdiff.yml b/.github/workflows/scdiff.yml
@@ -0,0 +1,110 @@
+name: scdiff PR evaluation
+on:
+  issue_comment:
+    types: [created]
+
+permissions: read-all
+
+env:
+  GO_VERSION: 1.21
+
+jobs:
+  share-link:
+    if: ${{ (github.event.issue.pull_request) && (contains(github.event.comment.body, '/scdiff generate')) }}
+    runs-on: [ubuntu-latest]
+    permissions:
+      pull-requests: write # to create the PR comment
+    steps:
+      - name: share link to workflow run
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `[Here's a link to the scdiff run](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
+            })
+
+  golden-test:
+    if: ${{ (github.event.issue.pull_request) && (contains(github.event.comment.body, '/scdiff generate')) }}
+    runs-on: [ubuntu-latest]
+    steps:
+      - name: create file of repos to anlayze
+        run: |
+          cat <<EOF > $HOME/repos.txt
+          https://github.com/airbnb/lottie-web
+          https://github.com/apache/tomcat
+          https://github.com/Azure/azure-functions-dotnet-worker
+          https://github.com/cncf/xds
+          https://github.com/google/go-cmp
+          https://github.com/google/highwayhash
+          https://github.com/googleapis/google-api-php-client
+          https://github.com/jacoco/jacoco
+          https://github.com/ossf/scorecard
+          https://github.com/pallets/jinja
+          https://github.com/polymer/polymer
+          https://github.com/rust-random/getrandom
+          https://github.com/yaml/libyaml
+          https://gitlab.com/baserow/baserow
+          https://gitlab.com/cryptsetup/cryptsetup
+          EOF
+      - name: configure scdiff
+        id: config
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const allowedAssociations = ["COLLABORATOR", "CONTRIBUTOR", "MEMBER", "OWNER"];
+            authorAssociation = '${{ github.event.comment.author_association }}'
+            if (!allowedAssociations.includes(authorAssociation)) {
+              core.setFailed("You don't have access to run scdiff");
+            }
+
+            const response = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            })
+            core.setOutput('base', response.data.base.sha)
+            core.setOutput('head', response.data.head.sha)
+
+            checks = '""'
+            const commentBody = process.env.COMMENT_BODY
+            const regex = /\/scdiff generate ([^ ]+)/;
+            const found = commentBody.match(regex);
+            if (found && found.length == 2) {
+              checks = found[1]
+            }
+            core.exportVariable('SCORECARD_CHECKS', checks)
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ steps.config.outputs.base }}
+      - name: Setup Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+      - name: generate before results
+        env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
+          GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }}
+        run: |
+          go run cmd/internal/scdiff/main.go generate \
+            --repos $HOME/repos.txt \
+            --checks $SCORECARD_CHECKS > $HOME/before.json
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ steps.config.outputs.head }}
+      - name: generate after results
+        env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
+          GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }}
+        run: |
+          go run cmd/internal/scdiff/main.go generate \
+            --repos $HOME/repos.txt \
+            --checks $SCORECARD_CHECKS > $HOME/after.json
+      - name: compare results
+        run: |
+          go run cmd/internal/scdiff/main.go compare $HOME/before.json $HOME/after.json
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif

diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml
@@ -44,7 +44,7 @@ jobs:
     permissions: read-all
     steps:
       - name: Install the verifier
-        uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.4.1
 
       - name: Download the artifact
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -27,18 +27,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v3.0.18
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open for 60 days with no activity.'
-        stale-pr-message: 'Stale pull request message'
-        stale-issue-label: 'no-issue-activity'
+        stale-pr-message: 'This pull request is stale because it has been open for 10 days with no activity'
         exempt-issue-labels: 'priority,bug,good first issue'
-        stale-pr-label: 'no-pr-activity'
+        exempt-issue-milestones: 'Structured results'
         exempt-pr-labels: 'awaiting-approval,work-in-progress'
         days-before-pr-stale: '10'
         days-before-pr-close: '20'

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -26,12 +26,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Verifier action
       id: verifier
-      uses: kubernetes-sigs/kubebuilder-release-tools@d8367c29de8af903319d3a76de2436672515729b # v0.4.0
+      uses: kubernetes-sigs/kubebuilder-release-tools@3c3411345eedc489d1022288aa844691e92a9c29 # v0.4.2
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}