Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

📖 Clarifications about the pinned dependencies check #2319

Merged
merged 2 commits into from
Oct 12, 2022
Merged

📖 Clarifications about the pinned dependencies check #2319

merged 2 commits into from
Oct 12, 2022

Conversation

katzj
Copy link
Contributor

@katzj katzj commented Sep 30, 2022
edited
Loading

The pinned dependencies check is confusing to authors of libraries, who shouldn't be pinning the dependencies of the library. But it is still valuable for flagging things which are used as part of the build and release process for a library.

Signed-off-by: Jeremy Katz jeremy@tidelift.com

What kind of change does this PR introduce?

Docs update

What is the current behavior?

Currently library maintainers are confused thinking that this check wants them to pin their dependencies but that is not the real intent. This tries to make the documentation a little clearer.

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

NONE

@katzj katzj requested a review from olivekl as a code owner September 30, 2022 20:04
@katzj katzj temporarily deployed to integration-test September 30, 2022 20:04 Inactive
@codecov
Copy link

codecov bot commented Sep 30, 2022
edited
Loading

Codecov Report

Merging #2319 (0ffb19a) into main (9b9006e) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2319   +/-   ##
=======================================
  Coverage   40.55%   40.55%           
=======================================
  Files         112      112           
  Lines        8822     8822           
=======================================
  Hits         3578     3578           
  Misses       4984     4984           
  Partials      260      260

@github-actions
Copy link

Integration tests success for
[0e3393c]
(https://github.com/ossf/scorecard/actions/runs/3161363233)

azeemshaikh38
azeemshaikh38 reviewed Oct 1, 2022
View reviewed changes
Copy link
Contributor

@azeemshaikh38 azeemshaikh38 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generate the checks.md file using make generate-docs

@katzj katzj force-pushed the pinned-deps-about-build-release-process branch from 9e16d59 to 24fa891 Compare October 3, 2022 14:46
@katzj katzj temporarily deployed to integration-test October 3, 2022 14:47 Inactive
@katzj
Copy link
Contributor Author

katzj commented Oct 3, 2022

Generate the checks.md file using make generate-docs

Done (note I had to explicitly remove the file and then run the command... it didn't notice the change; makefile rule looks right to me though 🤷‍♂️ )

@github-actions
Copy link

github-actions bot commented Oct 3, 2022

Integration tests success for
[9e16d59]
(https://github.com/ossf/scorecard/actions/runs/3175094141)

@github-actions
Copy link

github-actions bot commented Oct 3, 2022

Integration tests success for
[24fa891]
(https://github.com/ossf/scorecard/actions/runs/3175095210)

@katzj
Clarifications about the pinned dependencies check
0447c50 
The pinned dependencies check is confusing to authors of libraries,
who shouldn't be pinning the dependencies of the library. But it is
still valuable for flagging things which are used as part of
the build and release process for a library.

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>
@katzj
Regenerate docs/checks.md
0ffb19a 
Signed-off-by: Jeremy Katz <jeremy@tidelift.com>
@katzj katzj force-pushed the pinned-deps-about-build-release-process branch from 24fa891 to 0ffb19a Compare October 11, 2022 19:44
@katzj katzj temporarily deployed to integration-test October 11, 2022 19:44 Inactive
@github-actions
Copy link

Integration tests success for
[0ffb19a]
(https://github.com/ossf/scorecard/actions/runs/3229760864)

@azeemshaikh38 azeemshaikh38 enabled auto-merge (squash) October 12, 2022 00:53
@azeemshaikh38 azeemshaikh38 merged commit 3eab4dd into ossf:main Oct 12, 2022
latortuga71 pushed a commit to latortuga71/scorecard that referenced this pull request Oct 27, 2022
@katzj
📖 Clarifications about the pinned dependencies check (ossf#2319)
d46864f 
* Clarifications about the pinned dependencies check

The pinned dependencies check is confusing to authors of libraries,
who shouldn't be pinning the dependencies of the library. But it is
still valuable for flagging things which are used as part of
the build and release process for a library.

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

* Regenerate docs/checks.md

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>
Signed-off-by: latortuga <latortugaaaa>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@katzj
📖 Clarifications about the pinned dependencies check (ossf#2319)
2ee6381 
* Clarifications about the pinned dependencies check

The pinned dependencies check is confusing to authors of libraries,
who shouldn't be pinning the dependencies of the library. But it is
still valuable for flagging things which are used as part of
the build and release process for a library.

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

* Regenerate docs/checks.md

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>
Signed-off-by: nathaniel.wert <nathaniel.wert@kudelskisecurity.com>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@katzj
📖 Clarifications about the pinned dependencies check (ossf#2319)
7153886 
* Clarifications about the pinned dependencies check

The pinned dependencies check is confusing to authors of libraries,
who shouldn't be pinning the dependencies of the library. But it is
still valuable for flagging things which are used as part of
the build and release process for a library.

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

* Regenerate docs/checks.md

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>
Signed-off-by: nathaniel.wert <nathaniel.wert@kudelskisecurity.com>
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
@katzj @raghavkaul
📖 Clarifications about the pinned dependencies check (ossf#2319)
5a7c8e5 
* Clarifications about the pinned dependencies check

The pinned dependencies check is confusing to authors of libraries,
who shouldn't be pinning the dependencies of the library. But it is
still valuable for flagging things which are used as part of
the build and release process for a library.

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

* Regenerate docs/checks.md

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>

Signed-off-by: Jeremy Katz <jeremy@tidelift.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azeemshaikh38 azeemshaikh38 azeemshaikh38 approved these changes

@laurentsimon laurentsimon laurentsimon approved these changes

@olivekl olivekl Awaiting requested review from olivekl

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@katzj @azeemshaikh38 @laurentsimon