Merge branch 'main' into bug/invalid-scores

.github/workflows/depsreview.yml

@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4
+        uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5

.github/workflows/docker.yml

@@ -40,7 +40,7 @@ jobs:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f #v41.0.1
+      uses: tj-actions/changed-files@62f4729b5df35e6e0e01265fa70a82ccaf196b4b #v41.1.1
       with:
         files_ignore: '**.md'
     - id: docs_only_check

.github/workflows/gitlab.yml

@@ -52,7 +52,7 @@ jobs:
           echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
       - name: Cache builds
         # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c #v3.3.3
         with:
           path: |
             ${{ steps.go-cache-paths.outputs.go-build }}

.github/workflows/integration.yml

@@ -63,7 +63,7 @@ jobs:
           echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
       - name: Cache builds
         # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c #v3.3.3
         with:
           path: |
             ${{ steps.go-cache-paths.outputs.go-build }}

.github/workflows/main.yml

@@ -54,7 +54,7 @@ jobs:
         echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c #v3.3.3
        with:
          path: |
           ${{ steps.go-cache-paths.outputs.go-build }}
@@ -106,7 +106,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod
@@ -226,7 +226,7 @@ jobs:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod
@@ -266,7 +266,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod
@@ -313,7 +313,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod

.github/workflows/scorecard-analysis.yml

@@ -40,7 +40,7 @@ jobs:
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       # Optional.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v3
+        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/slsa-goreleaser.yml

@@ -47,12 +47,12 @@ jobs:
         uses: slsa-framework/slsa-verifier/actions/installer@v2.4.1
 
       - name: Download the artifact
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
         with:
           name: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
 
       - name: Download the artifact
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
         with:
           name: ${{ needs.build.outputs.go-binary-name }}
 

README.md

@@ -517,7 +517,7 @@ For a guide to the checks you should use when getting started, see the [beginner
 
 [Two-factor Authentication (2FA)](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication) adds an extra layer of security when logging into websites or apps. 2FA protects your account if your password is compromised by requiring a second form of authentication, such as codes sent via SMS or authentication app, or touching a physical security key.
 
-We strongly recommend that you enable 2FA on GitHub and any important account where it is available. 2FA is not a Scorecard check because GitHub does not make that data about user accounts public. Arguably, this data should always remain private, since accounts without 2FA are so vulnerable to attack.
+We strongly recommend that you enable 2FA on any important accounts where it is available. 2FA is not a Scorecard check because GitHub and GitLab do not make that data about user accounts public. Arguably, this data should always remain private, since accounts without 2FA are so vulnerable to attack.
 
 Though it is not an official check, we urge all project maintainers to enable 2FA to protect their projects from compromise.
 

checks/all_checks_test.go

@@ -23,15 +23,13 @@ import (
 
 func Test_registerCheck(t *testing.T) {
 	t.Parallel()
-	//nolint:govet
 	type args struct {
-		name string
 		fn   checker.CheckFn
+		name string
 	}
-	//nolint:govet
 	tests := []struct {
-		name    string
 		args    args
+		name    string
 		wanterr bool
 	}{
 		{

checks/branch_protection_test.go

@@ -64,15 +64,14 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 
 	var oneVal int32 = 1
 
-	//nolint:govet
 	tests := []struct {
 		name          string
-		expected      scut.TestReturn
-		branches      []*clients.BranchRef
 		defaultBranch string
+		branches      []*clients.BranchRef
 		releases      []string
-		nonadmin      bool
 		repoFiles     []string
+		expected      scut.TestReturn
+		nonadmin      bool
 	}{
 		{
 			name: "Nil release and main branch names",

checks/dependency_update_tool_test.go

@@ -32,15 +32,14 @@ const (
 // TestDependencyUpdateTool tests the DependencyUpdateTool checker.
 func TestDependencyUpdateTool(t *testing.T) {
 	t.Parallel()
-	//nolint:govet
 	tests := []struct {
 		name              string
-		wantErr           bool
+		want              checker.CheckResult
 		SearchCommits     []clients.Commit
-		CallSearchCommits int
 		files             []string
-		want              checker.CheckResult
 		expected          scut.TestReturn
+		CallSearchCommits int
+		wantErr           bool
 	}{
 		{
 			name:    "dependency yml",