Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Add packaging workflow for semantic-release #2964

Merged
merged 4 commits into from
May 9, 2023

Conversation

travi
Copy link
Contributor

@travi travi commented May 7, 2023

What kind of change does this PR introduce?

Adds detection for the recommended use of semantic-release in a GitHub Actions workflow.

What is the current behavior?

semantic-release is not detected as a packaging tool. detection for python-semantic-release was added in #1654, but that is a separate project from semantic-release

What is the new behavior (if this is a feature change)?**

semantic-release is now detected when used with npx in the workflow. the following variations are detected in the run property of a step:

  • npx semantic-release
  • npx semantic-release@21
  • npx semantic-release@21.0.2
  • npx semantic-release@beta
  • npx -p @semantic-release/git semantic-release
  • Tests for the changes have been added (for bug fixes/features)

I verified that the variations above are detected when set in the testdata workflow file, but the PR currently only contains one of those variations. I did not find examples of other situations that defined multiple workflow variations for a single packaging tool detection, but I am open to feedback if additional tests would be desired.

Which issue(s) this PR fixes

Fixes #2929

Special notes for your reviewer

i personally use a reusable workflow (example reference) to capture the details of running semantic-release. (Since I am a semantic-release maintainer, I mostly do this to enable easy switching from use of the latest version to a pre-release in order to test further across my own projects.) I assume reusable workflows would prevent detection of the semantic-release usage, is that correct or does the scanning also evaluate those?

even if reusable workflows are not scanned, adding this detection would be valuable for much of our community. i would be interested to add this support and follow up with further discussion afterward about reusable workflows if not already scanned.

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

✨ Add packaging workflow for semantic-release

Signed-off-by: Matt Travi <programmer@travi.org>
@raghavkaul raghavkaul temporarily deployed to integration-test May 8, 2023 15:46 — with GitHub Actions Inactive
@codecov
Copy link

codecov bot commented May 8, 2023

Codecov Report

Merging #2964 (e11d5c7) into main (793da0c) will increase coverage by 0.03%.
The diff coverage is 100.00%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2964      +/-   ##
==========================================
+ Coverage   53.01%   53.05%   +0.03%     
==========================================
  Files         161      161              
  Lines       12303    12312       +9     
==========================================
+ Hits         6523     6532       +9     
  Misses       5404     5404              
  Partials      376      376              

Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the only blocker is the linter

checks/fileparser/github_workflow.go Outdated Show resolved Hide resolved
Signed-off-by: Matt Travi <programmer@travi.org>
@spencerschrock spencerschrock enabled auto-merge (squash) May 9, 2023 17:46
@spencerschrock spencerschrock temporarily deployed to integration-test May 9, 2023 17:47 — with GitHub Actions Inactive
@spencerschrock
Copy link
Member

I assume reusable workflows would prevent detection of the semantic-release usage, is that correct or does the scanning also evaluate those?

Yes, Scorecard doesn't currently follow any reusable workflows.

even if reusable workflows are not scanned, adding this detection would be valuable for much of our community.

Thank you for the contribution!

@spencerschrock spencerschrock merged commit 2ca4722 into ossf:main May 9, 2023
@travi travi deleted the semantic-release branch May 10, 2023 02:40
@travi travi restored the semantic-release branch May 10, 2023 02:40
@travi travi deleted the semantic-release branch May 10, 2023 02:40
@travi
Copy link
Contributor Author

travi commented May 10, 2023

Yes, Scorecard doesn't currently follow any reusable workflows.

makes sense. thank you for confirming. would you say that there is an appetite to analyze those at some point in the future?

Thank you for the contribution!

absolutely. thanks for accepting and for all you do on the project. i'm excited about how this will help our communities

gabibguti pushed a commit to gabibguti/scorecard that referenced this pull request May 10, 2023
* ✨ Add packaging workflow for semantic-release

Signed-off-by: Matt Travi <programmer@travi.org>

* Resolve indentation inconsistencies

Signed-off-by: Matt Travi <programmer@travi.org>

---------

Signed-off-by: Matt Travi <programmer@travi.org>
balteravishay pushed a commit to balteravishay/scorecard that referenced this pull request May 29, 2023
* ✨ Add packaging workflow for semantic-release

Signed-off-by: Matt Travi <programmer@travi.org>

* Resolve indentation inconsistencies

Signed-off-by: Matt Travi <programmer@travi.org>

---------

Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Avishay <avishay.balter@gmail.com>
ashearin pushed a commit to kgangerlm/scorecard-gitlab that referenced this pull request Nov 13, 2023
* ✨ Add packaging workflow for semantic-release

Signed-off-by: Matt Travi <programmer@travi.org>

* Resolve indentation inconsistencies

Signed-off-by: Matt Travi <programmer@travi.org>

---------

Signed-off-by: Matt Travi <programmer@travi.org>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature: Support semantic-release for packaging
3 participants