Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 #2448

Merged
merged 2 commits into from
Nov 12, 2022
Merged

🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 #2448

merged 2 commits into from
Nov 12, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 10, 2022
edited
Loading

Bumps golang.org/x/tools from 0.2.0 to 0.3.0.

Release notes

Sourced from golang.org/x/tools's releases.

gopls/v0.3.0

Note: gopls now loads your entire workspace, where “workspace” is directory you opened in your editor.

In module mode, you must open your module root (directory containing the go.mod file) or a subdirectory.

In GOPATH mode, you must open your GOPATH/src or a directory within it. If you have a large GOPATH and you open your GOPATH as your workspace root, gopls may be very slow to load. Please see #36899 for further information.

  • Autocompletion from unimported packages is on by default. You will get completions for something like fmt.Printf even if “fmt” isn’t imported yet. (@​heschik)
  • Workspace-scoped references, rename, and go to implementation. These features use your workspace root as the search scope, so behavior will vary based on the directory you open in your editor. This may result in unexpected behavior. (@​muirdm, @​matloob)
  • Workspace-wide diagnostics. You will now see errors in your entire workspace, rather than just in your currently open files. Analysis errors will only be shown for packages with currently open files.
  • Watch file changes on disk. This allows users to switch branches without reloading their editors. Also, changing configurations no longer requires an editor reload.
  • GOPATH vendoring is fully supported. Previously, some features would ignore vendor directories, causing errors if packages weren't in GOPATH. (@​heschik)
  • New autocompletion suggestions for type conversions. Improved completions for literal candidates and variadic functions. Better rankings, including rankings for builtin functions and keywords. (@​muirdm)
  • Highlighting improvements: Highlighting now applies not only to variables, but also to fields, methods, types, and imports. Additional highlighting helps visualize control flow in loops and functions. Highlighting of single character variables has better support. (@​ridersofrohan)
  • Documentation on hover includes links to pkg.go.dev for exported symbols. (@​Southclaws)
  • Improved support for cgo dependencies. All features now work for packages that have cgo dependencies. Authoring cgo packages is still not supported, but improvements are scheduled for Go 1.15 (see #35721). (@​heschik)
  • Deep completions are now on by default. This feature of completion will search the fields and methods of all available candidates to see if there are any more candidates with the expected type. As an example, say you have imported the context package and are calling a function that takes a context.Context as a parameter. In the case that you don’t have a variable of that type in scope, deep completions will suggest context.Background() and context.TODO(). (@​muirdm)

Opt-in:

  • staticcheck analyses remain opt-in and can be enabled by setting "staticcheck": true in your gopls settings.
  • Go 1.14 will support running the go command without modifying the user’s go.mod file. This new feature is used in gopls to show diagnostics and suggest edits in a user’s go.mod file rather than change the file without the user noticing. Currently, gopls will suggest removing unused dependencies and warn the user if there is a parse error in the go.mod file. Enable this behavior by using the go1.14 beta and setting "tempModfile": true in your gopls settings. (@​ridersofrohan)

gopls/v0.2.2

  • Fix concurrent map read and write when a file is created (CL 210199).
  • Fix issue that caused errors to show up when a new file was created (CL 209978).

gopls/v0.2.1

  • Fix for parse errors showing up as errors on the whole package (CL 206597).
Commits
  • 502c634 go.mod: update golang.org/x dependencies
  • bd04e32 internal/jsonrpc2_v2: eliminate a potential Accept/Dial race in TestIdleTimeout
  • d41a43b internal/jsonrpc2_v2: fix a potential deadlock when (*Conn).Close is invoked ...
  • 3057465 gopls/doc: Add plugin for Lapce to gopls documentation
  • ba92ae1 internal/persistent: avoid incorrect map validation due to multiple keys
  • 9474ca3 gopls/doc: clarify go work use
  • 003fde1 internal/gcimporter: use nondeprecated go/packages mode bits
  • 5050657 gopls/fake: add semantic token modifiers to fake editor
  • 88a3548 gopls/coverage: repair coverage.go
  • 8e0240a internal/regtest/workspace: permanently skip TestDeleteModule_Interdependent
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @naveensrinivasan.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Nov 10, 2022
@codecov
Copy link

codecov bot commented Nov 10, 2022
edited
Loading

Codecov Report

Merging #2448 (341c623) into main (aa93762) will decrease coverage by 0.42%.
The diff coverage is n/a.

❗ Current head 341c623 differs from pull request most recent head fa56a09. Consider uploading reports for the commit fa56a09 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2448      +/-   ##
==========================================
- Coverage   40.96%   40.53%   -0.43%     
==========================================
  Files         113      113              
  Lines        9271     9154     -117     
==========================================
- Hits         3798     3711      -87     
+ Misses       5197     5167      -30     
  Partials      276      276

@spencerschrock spencerschrock temporarily deployed to integration-test November 10, 2022 19:06 Inactive
@github-actions
Copy link

Integration tests success for
[341c623]
(https://github.com/ossf/scorecard/actions/runs/3439664981)

@naveensrinivasan
Copy link
Member

@dependabot rebase

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Nov 12, 2022

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@naveensrinivasan
Copy link
Member

@dependabot merge

dependabot bot and others added 2 commits November 12, 2022 08:09
@dependabot @naveensrinivasan
🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0
279ae4a 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@spencerschrock @naveensrinivasan
bump attestor modules
fa56a09 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@naveensrinivasan naveensrinivasan force-pushed the dependabot/go_modules/golang.org/x/tools-0.3.0 branch from 341c623 to fa56a09 Compare November 12, 2022 14:09
@naveensrinivasan naveensrinivasan temporarily deployed to integration-test November 12, 2022 14:09 Inactive
@naveensrinivasan naveensrinivasan enabled auto-merge (squash) November 12, 2022 14:16
@naveensrinivasan naveensrinivasan merged commit 52640d5 into main Nov 12, 2022
@naveensrinivasan naveensrinivasan deleted the dependabot/go_modules/golang.org/x/tools-0.3.0 branch November 12, 2022 14:23
@github-actions
Copy link

Integration tests success for
[fa56a09]
(https://github.com/ossf/scorecard/actions/runs/3451253621)

latortuga71 pushed a commit to latortuga71/scorecard that referenced this pull request Nov 18, 2022
@dependabot @spencerschrock @latortuga71
🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)
f26154e 
* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
azeemshaikh38 pushed a commit that referenced this pull request Nov 22, 2022
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (#2407)
f9f910d 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* commit_depth feature

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

linter

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added unit tests

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

added test in e2e

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ CLI for scorecard-attestor (#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* fix workflow (#2417)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Bump scorecard-action (#2416)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Fail unit-test job if codecov upload fails (#2415)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Enable comparison for alternative isText implementation (#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <sschrock@google.com>

* AB test isText implementations

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🐛 modify alternative isText to accept carriage returns (#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* revert failing unit-test on ci error (#2422)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ Improved Security Policy Check (#2195)

* ✨ Improved Security Policy Check (#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* gofmt'ed changes

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <shissam@gmail.com>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ Improved Security Policy Check (#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <shissam@gmail.com>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <shissam@gmail.com>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ CLI for scorecard-attestor (#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <shissam@gmail.com>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <shissam@gmail.com>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* enable more performant isText (#2433)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* removed getcommitdepth function

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added TODO

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Code Review: treat merging a PR as code review (#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Trivial: Fix typo (exepted -> expected) (#2440)

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Detect SECURITY.markdown in addition to SECURITY.md (#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <favonia@gmail.com>

Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430)

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* fix linter warning

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Only write to the rawBucket if the value exists. (#2451)

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Move cron monitoring to a non-internal location. (#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/addlicense in /tools (#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* go mod tidy

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* missed test fix

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@dependabot @spencerschrock
🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)
38f7625 
* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (ossf#2407)
6c3fcf7 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* commit_depth feature

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

linter

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added unit tests

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

added test in e2e

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* fix workflow (ossf#2417)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Bump scorecard-action (ossf#2416)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Fail unit-test job if codecov upload fails (ossf#2415)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Enable comparison for alternative isText implementation (ossf#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <sschrock@google.com>

* AB test isText implementations

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🐛 modify alternative isText to accept carriage returns (ossf#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* revert failing unit-test on ci error (ossf#2422)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ Improved Security Policy Check (ossf#2195)

* ✨ Improved Security Policy Check (ossf#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* gofmt'ed changes

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <shissam@gmail.com>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <shissam@gmail.com>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <shissam@gmail.com>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <shissam@gmail.com>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <shissam@gmail.com>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* enable more performant isText (ossf#2433)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* removed getcommitdepth function

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added TODO

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Code Review: treat merging a PR as code review (ossf#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Trivial: Fix typo (exepted -> expected) (ossf#2440)

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <favonia@gmail.com>

Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430)

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* fix linter warning

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Only write to the rawBucket if the value exists. (ossf#2451)

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Move cron monitoring to a non-internal location. (ossf#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/addlicense in /tools (ossf#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* go mod tidy

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* missed test fix

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@dependabot @spencerschrock
🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)
3b87359 
* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: nathaniel.wert <nathaniel.wert@kudelskisecurity.com>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (ossf#2407)
10322da 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* commit_depth feature

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

linter

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added unit tests

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

added test in e2e

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* fix workflow (ossf#2417)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Bump scorecard-action (ossf#2416)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Fail unit-test job if codecov upload fails (ossf#2415)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Enable comparison for alternative isText implementation (ossf#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <sschrock@google.com>

* AB test isText implementations

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🐛 modify alternative isText to accept carriage returns (ossf#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* revert failing unit-test on ci error (ossf#2422)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ Improved Security Policy Check (ossf#2195)

* ✨ Improved Security Policy Check (ossf#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* gofmt'ed changes

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <shissam@gmail.com>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <shissam@gmail.com>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <shissam@gmail.com>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <shissam@gmail.com>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <shissam@gmail.com>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* enable more performant isText (ossf#2433)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* removed getcommitdepth function

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added TODO

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Code Review: treat merging a PR as code review (ossf#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Trivial: Fix typo (exepted -> expected) (ossf#2440)

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <favonia@gmail.com>

Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430)

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* fix linter warning

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Only write to the rawBucket if the value exists. (ossf#2451)

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Move cron monitoring to a non-internal location. (ossf#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/addlicense in /tools (ossf#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* go mod tidy

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* missed test fix

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: nathaniel.wert <nathaniel.wert@kudelskisecurity.com>
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
@dependabot @spencerschrock @raghavkaul
🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)
a49f585 
* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
raghavkaul added a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (ossf#2407)
b8f722c 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* commit_depth feature

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

linter

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added unit tests

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

added test in e2e

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* fix workflow (ossf#2417)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Bump scorecard-action (ossf#2416)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Fail unit-test job if codecov upload fails (ossf#2415)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Enable comparison for alternative isText implementation (ossf#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <sschrock@google.com>

* AB test isText implementations

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🐛 modify alternative isText to accept carriage returns (ossf#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* revert failing unit-test on ci error (ossf#2422)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* ✨ Improved Security Policy Check (ossf#2195)

* ✨ Improved Security Policy Check (ossf#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* gofmt'ed changes

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <shissam@gmail.com>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <shissam@gmail.com>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <shissam@gmail.com>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <shissam@gmail.com>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <shissam@gmail.com>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <shissam@gmail.com>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <shissam@gmail.com>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <shissam@gmail.com>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <shissam@gmail.com>

Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* enable more performant isText (ossf#2433)

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* removed getcommitdepth function

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* added TODO

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Code Review: treat merging a PR as code review (ossf#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Trivial: Fix typo (exepted -> expected) (ossf#2440)

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>

Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <favonia@gmail.com>

Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430)

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* fix linter warning

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Only write to the rawBucket if the value exists. (ossf#2451)

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump attestor modules

Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Move cron monitoring to a non-internal location. (ossf#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <calebbrown@google.com>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <calebbrown@google.com>

Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/addlicense in /tools (ossf#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* go mod tidy

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

* missed test fix

Signed-off-by: latortuga71 <christopheralonso1@gmail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naveensrinivasan naveensrinivasan naveensrinivasan approved these changes

@azeemshaikh38 azeemshaikh38 Awaiting requested review from azeemshaikh38

@justaugustus justaugustus Awaiting requested review from justaugustus

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

@spencerschrock spencerschrock Awaiting requested review from spencerschrock

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@naveensrinivasan @spencerschrock