-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Detect fast-check PBT library for fuzz section #3073
Conversation
0ba4c12
to
e233301
Compare
Thank you! Can you please do this for updating the docs https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#updating-docs? |
Of course, I'll do |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3073 +/- ##
==========================================
- Coverage 64.85% 61.98% -2.87%
==========================================
Files 166 166
Lines 12470 12470
==========================================
- Hits 8087 7730 -357
- Misses 3933 4315 +382
+ Partials 450 425 -25 |
@naveensrinivasan Is my last commit doing what you requested? |
Sorry for the force push, I just resolved a conflict on README.md |
@naveensrinivasan It seems that coverage blocks the merge. Anything I can do? It seems the new part is covered, no? |
This is the reason "This branch is out-of-date with the base branch" Can you please rebase with the main and force-push it? |
As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org>
Signed-off-by: Nicolas DUBIEN <github@dubien.org>
* ✨ Detect fast-check PBT library for fuzz section As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com>
* add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * e2e test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update: test coverage Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * gitlab: license check (#2834) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add support for github GHES (#2999) * :sparkles: adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza <jlm@jlm.name> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce <joycebrum@google.com> * feat: generate checks.md Signed-off-by: Joyce Brum <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for pkg/json_raw_results (#3044) * :seedling: Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: :ghost: fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> * generate checks.md Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> --------- Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * use projectID instead of project where applicable Signed-off-by: Raghav Kaul <raghavkaul@google.com> * pass ref as listcommitoption Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Move gitlab repos to release controller Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add csv headers Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul <raghavkaul@google.com> * formatting & logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * remove spurious test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * consolidate logic Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Turn on experimental flag Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update client Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated general README Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * get nuget latest version from registration URL Signed-off-by: Avishay <avishay.balter@gmail.com> * better coverage Signed-off-by: Avishay <avishay.balter@gmail.com> * sign Signed-off-by: Avishay <avishay.balter@gmail.com> * fix tests Signed-off-by: Avishay <avishay.balter@gmail.com> * more tests Signed-off-by: Avishay <avishay.balter@gmail.com> * client tests Signed-off-by: Avishay <avishay.balter@gmail.com> * lint Signed-off-by: Avishay <avishay.balter@gmail.com> * Apply suggestions from code review Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 2 Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 3 Signed-off-by: Avishay <avishay.balter@gmail.com> * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update repo name Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: agenda link change (#3111) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * i:seedling: Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock <sschrock@google.com> * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock <sschrock@google.com> * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add license header Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * making the packages internal Signed-off-by: Avishay <avishay.balter@gmail.com> * generate mocks Signed-off-by: Avishay <avishay.balter@gmail.com> --------- Signed-off-by: Avishay <avishay.balter@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
* ✨ Detect fast-check PBT library for fuzz section As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * e2e test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update: test coverage Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * gitlab: license check (#2834) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :sparkles: Add support for github GHES (#2999) * :sparkles: adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza <jlm@jlm.name> Signed-off-by: Avishay <avishay.balter@gmail.com> * :bug: Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce <joycebrum@google.com> * feat: generate checks.md Signed-off-by: Joyce Brum <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for pkg/json_raw_results (#3044) * :seedling: Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: :ghost: fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> * generate checks.md Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> --------- Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * use projectID instead of project where applicable Signed-off-by: Raghav Kaul <raghavkaul@google.com> * pass ref as listcommitoption Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Move gitlab repos to release controller Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add csv headers Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul <raghavkaul@google.com> * formatting & logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * remove spurious test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * consolidate logic Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Turn on experimental flag Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update client Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated general README Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * get nuget latest version from registration URL Signed-off-by: Avishay <avishay.balter@gmail.com> * better coverage Signed-off-by: Avishay <avishay.balter@gmail.com> * sign Signed-off-by: Avishay <avishay.balter@gmail.com> * fix tests Signed-off-by: Avishay <avishay.balter@gmail.com> * more tests Signed-off-by: Avishay <avishay.balter@gmail.com> * client tests Signed-off-by: Avishay <avishay.balter@gmail.com> * lint Signed-off-by: Avishay <avishay.balter@gmail.com> * Apply suggestions from code review Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 2 Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 3 Signed-off-by: Avishay <avishay.balter@gmail.com> * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update repo name Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :book: agenda link change (#3111) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * i:seedling: Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock <sschrock@google.com> * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock <sschrock@google.com> * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add license header Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * making the packages internal Signed-off-by: Avishay <avishay.balter@gmail.com> * generate mocks Signed-off-by: Avishay <avishay.balter@gmail.com> --------- Signed-off-by: Avishay <avishay.balter@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
What kind of change does this PR introduce?
(Is it a bug fix, feature, docs update, something else?)
As suggested at #2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.
I also adapted the documentation related to fuzzing accordingly.
What is the current behavior?
The JavaScript/TypeScript property based testing library called fast-check was nor recognized as being a valid fuzzing system. This PR makes sure that it will be an acceptable fuzzing option.
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Suggested at #2792 (comment), but not fixing the issue itself.
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)