-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ broaden job matcher for semantic release #3506
✨ broaden job matcher for semantic release #3506
Conversation
Signed-off-by: secustor <sebastian@poxhofer.at>
6f2fea1
to
7ceeeb8
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3506 +/- ##
==========================================
- Coverage 75.00% 67.68% -7.33%
==========================================
Files 188 188
Lines 13432 13432
==========================================
- Hits 10075 9091 -984
- Misses 2797 3844 +1047
+ Partials 560 497 -63 |
The linter seems to have simply timed out |
New contributors require a maintainer to approve the CI/CD run, which I've pushed. So it's running now |
…pm and yarn Signed-off-by: secustor <sebastian@poxhofer.at>
…easing' into feat/broaden-job-matcher-for-releasing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
* feat: broaden job matcher for semantic release Signed-off-by: secustor <sebastian@poxhofer.at> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <sebastian@poxhofer.at> --------- Signed-off-by: secustor <sebastian@poxhofer.at> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* feat: broaden job matcher for semantic release Signed-off-by: secustor <sebastian@poxhofer.at> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <sebastian@poxhofer.at> --------- Signed-off-by: secustor <sebastian@poxhofer.at> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* :seedling: Remove go.mod replaces (#3440) * remove old replace directives. Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove dgrijalva/jwt-go replace. Project now maintained at github.com/golang-jwt/jwt. So it's unused. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove replace on unused github.com/buger/jsonparser Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/gorilla/handlers replace. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/miekg/dns Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/ulikunitz/xz Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/satori/go.uuid Signed-off-by: Spencer Schrock <sschrock@google.com> * replace directive no longer needed for github.com/opencontainers/image-spec. Signed-off-by: Spencer Schrock <sschrock@google.com> * potentially unneeded replace for github.com/emicklei/go-restful Signed-off-by: Spencer Schrock <sschrock@google.com> * potentially unneeded replace for github.com/docker/distribution Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Bump actions/cache from 3.3.1 to 3.3.2 (#3463) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8...704facf57e6136b1bc63b828d79edcd491f0ee84) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#3459) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/0b7f8abb1508181956e8e162db84b466c27e18ce...a8a3f3ad30e3422c9c7b888a15615d19a852ae32) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#3461) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.8 to 3.1.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f6fff72a3217f580d5afd49a46826795305b63c7...6c5ccdad469c9f8a2996bfecaec55a631a347034) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.0.0 to 39.0.2 (#3470) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.0 to 39.0.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/48566bbcc22ceb7c5809ebdd27377309f2c3de8c...6ee9cdc5816333acda68e01cf12eedc619e28316) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3467) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.54.0 to 1.55.0 (#3471) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.54.0...bigquery/v1.55.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ✨ Support Branch-Protection via GitHub Repository Rules (#3354) * repo rulesets via v4 api Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * good enough fnmatch implementation. Signed-off-by: Spencer Schrock <sschrock@google.com> * good enough rulesMatchingBranch Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * apply matching repo rules to branch protection settings Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * rules: consider admins and require checks Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * non-structural chanages from PR feedback Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * fetch default branch name during repo rules query Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * Testing applyRepoRules Tests assume a single rule is being applied to a branch, which might be guarded by a legacy branch protection rule. I think this logic gets problematic when there are multiple rules overlaid on the same branch: the "the existing rules does not enforce for admins, but i do and therefore this branch now does" will give false-positives. Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * Test_applyRepoRules: builder and standardize names Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * attempt to upgrade/downgrade EnforceAdmins as each rule is applied Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * simplify enforce admin for now. Signed-off-by: Spencer Schrock <sschrock@google.com> * handle merging pull request reviews Signed-off-by: Spencer Schrock <sschrock@google.com> * handle merging check rules Signed-off-by: Spencer Schrock <sschrock@google.com> * handle last push approval Signed-off-by: Spencer Schrock <sschrock@google.com> * handle linear history Signed-off-by: Spencer Schrock <sschrock@google.com> * use constants for github rule types. Signed-off-by: Spencer Schrock <sschrock@google.com> * add status check test. Signed-off-by: Spencer Schrock <sschrock@google.com> * add e2e test for repo rules. Signed-off-by: Spencer Schrock <sschrock@google.com> * handle nil branch name data Signed-off-by: Spencer Schrock <sschrock@google.com> * add tracking issue. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix precedence in if statement Signed-off-by: Spencer Schrock <sschrock@google.com> * include repo rules in the check docs. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com> * 🌱 workflows/stale: Update workflow to increase operations-per-run to process more issues (#3483) * Update workflow to increase operations per run to process more issues * 🌱 workflows/stale: Increased operations-per-run from default and reduced days to close stale issues * Update URI() for GitLab repos. Add fuzzing test (#3477) Signed-off-by: Raghav Kaul <raghavkaul@google.com> * :bug: Print Info in Empty Repo Scans (#3426) * issue 2157 changes Signed-off-by: leec94 <leec94@bu.edu> * incorporated feedback Signed-off-by: leec94 <leec94@bu.edu> * making the linter happy Signed-off-by: leec94 <leec94@bu.edu> * changing to local variable, testing still not working Signed-off-by: leec94 <leec94@bu.edu> * update tests to ignore date Signed-off-by: leec94 <leec94@bu.edu> * ran through linter Signed-off-by: leec94 <leec94@bu.edu> * resolving suggestions Signed-off-by: leec94 <leec94@bu.edu> --------- Signed-off-by: leec94 <leec94@bu.edu> * :seedling: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 (#3478) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.6.0 to 5.0.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/5fdedb94abba051217030cc86d4523cf3f02243d...7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.9.0 (#3479) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.1 to 5.9.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.8.1...v5.9.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/osv-scanner from 1.3.6 to 1.4.0 (#3481) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.6 to 1.4.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.6...v1.4.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.0.2 to 39.1.0 (#3488) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.2 to 39.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/6ee9cdc5816333acda68e01cf12eedc619e28316...8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :book: Add webviewer link (#3490) * Update README.md Add link to webviewer * Update faq.md Update webviewer link in FAQ * Update README.md Typo * Update faq.md Linebreak * 🌱 workflows/stale: Remove issue auto-close (#3493) * :seedling: Reduce confusion around codecov check status. (#3492) With our current upload setup, it will always show a drop of 6-7%. This is confusing to contributors, so make the check always pass. Also fixes the threshold for the patch coverage. Signed-off-by: Spencer Schrock <sschrock@google.com> * :book: Add gitlab links to viewer example (#3494) * Update README.md Signed-off-by: olivekl <olivekl@google.com> * Update faq.md Signed-off-by: olivekl <olivekl@google.com> --------- Signed-off-by: olivekl <olivekl@google.com> * :bug: Fix npe for GitLab repos without license API data (#3500) Signed-off-by: Raghav Kaul <raghavkaul@google.com> * :seedling: Bump tj-actions/changed-files from 39.1.0 to 39.1.2 (#3504) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.0 to 39.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d...41960309398d165631f08c5df47a11147e14712b) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/checkout from 4.0.0 to 4.1.0 (#3511) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/3df4ab11eba7bda6032a0b82a6bb43b11571feac...8ade135a41bc03ea155e62e844d188df1ea18608) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :sparkles: scdiff: add basic stats command to count scores by buckets (#3458) * wip Signed-off-by: Spencer Schrock <sschrock@google.com> * output via tabwriter Signed-off-by: Spencer Schrock <sschrock@google.com> * specify by check. Signed-off-by: Spencer Schrock <sschrock@google.com> * Return aggregate score when unmarshalling. Signed-off-by: Spencer Schrock <sschrock@google.com> * convert from score to bucket in one place. use aggregate score from func Signed-off-by: Spencer Schrock <sschrock@google.com> * fix forgotten usage of ExperimentalFromJSON2 Signed-off-by: Spencer Schrock <sschrock@google.com> * use sentinel errors. Signed-off-by: Spencer Schrock <sschrock@google.com> * move counting to own func for testability Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded fields from results for readability. Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for parse errors. Signed-off-by: Spencer Schrock <sschrock@google.com> * share max result size for any bufio.Scanner which reads results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic overall test for calcing stats. Signed-off-by: Spencer Schrock <sschrock@google.com> * make missing file argument generic. Signed-off-by: Spencer Schrock <sschrock@google.com> * validate min args with cobra. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Switch test import to remove gotest.tools dependency. (#3501) Signed-off-by: Spencer Schrock <sschrock@google.com> * :bug: Set repo commit SHA in results after fetching successfully. (#3514) Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Don't close stale issues explicitly (#3513) Issues are still getting closed after https://github.com/ossf/scorecard/pull/3493. I assume there's a default value being used somewhere. Signed-off-by: Spencer Schrock <sschrock@google.com> * :sparkles: Move "EnforcesAdmins" to tier 5 Branch-Protection (#3502) * Remove EnforceAdmins from tier 1. Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1. The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them. Signed-off-by: Spencer Schrock <sschrock@google.com> * move enforce admins to tier 5. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :bug: Pinned-Dependencies: only score detected ecosystems (#3436) * feat: Define if dependency is pinned or unpinned Add a field Pinned to Dependency structure. Update to save Dependencies pinned and unpinned. Not only unpinned ones. All download then run executions are considered unpinned. Because there is no remediation to pin them. For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned. Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Convert diff var types to pointer We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Pinned Dependency field type Field needs to be a pointer to work when accessing values on evaluation. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Count pinned and unpinned deps We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Flag not applicable ecossystems If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Score only applicable ecossystems Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: If no dependencies then create inconclusive score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: GitHub Actions score and logs Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Pinned dependencies score Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Ecossystems score and logs Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Remove deleted maxScore function test When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Adding GitHub Actions dependencies to result Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Update GitHub Actions result Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Update pip installs result Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Handle if nuget dependency is pinned or unpinned Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * tests: Fix check warnings for unpinned dependencies Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: GitHub Actions pinned log If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e" The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * Revert rename `asPointer` to `asStringPointer` Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Handle deps with parsing error and undefined pinning When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Delete unecessary test We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Add missing dep Location cases Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Simplify Dockerfile pinned as name logic Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: If ecossystem is not found show debug log If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix e2e tests and more unit tests Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Iterate all dependency types for final score Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Proportional score We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: GHA weights in proportional score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix scores and logs checking Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix e2e test The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Rename to ProportionalScoreWeighted Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Var declarations to create proportional score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Remove unnecessary pointer Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Dependencies priority declaration Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Ecosystem spelling Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Handle 0 weight and 0 total when creating proportional weighted score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Revert -d flag identification change Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: npm ci command is npm download and is pinned Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Unexport error variable to other packages Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Simplify no score groups condition Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Log proportion of dependencies pinned Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix unit tests to include info logs The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix e2e tests to include info logs The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3497) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 (#3496) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.91.1 to 0.92.1 (#3517) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.91.1 to 0.92.1. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.91.1...v0.92.1) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 📖 Update docs for Signed-Releases check (#3469) * Update docs for signed-releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update docs Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> * :seedling: Bump github.com/rhysd/actionlint from 1.6.15 to 1.6.26 (#3489) * bump actionlint. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * include latest update. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 (#3523) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.10...v1.28.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ✨ Add --output argument to write results to file (#3482) * feat: Create output file argument Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Write results to output file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Default results format output Print results headline to output, which may be a file. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Log start and end of checks work to console Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix options unit tests Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Output option content and shorthand Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Output to file with correct format Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix helper function with linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Define output to console or file inside FormatResults Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Remove intermediate variable to define output Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix error log Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Close output file before write results Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix unit test Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix remove file even if test fails Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix fail test cases Fail test if cannot format results or cannot read real or expected outputs. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Copyright notice year and license header spacing Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Rename Output to ResultsFile Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * Revert "feat: Log start and end of checks work to console" This reverts commit c4a00a5ca7268d91940dd2784277373e630fcad2. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Print results headline in default format Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix default format result test Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Close output only when it's file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * :seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (#3532) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/8ca2b8b2ece13480cda6dacd3511b49857a23c09...1b05615854632b887b69ae1be8cbefe72d3ae423) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.1.2 to 39.2.1 (#3531) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/41960309398d165631f08c5df47a11147e14712b...db153baf731265ad02cd490b07f470e2d55e3345) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Fix race condition in output file test. (#3533) Signed-off-by: Spencer Schrock <sschrock@google.com> * :book: Fix documentation typos (#3505) * fix typo Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typos Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typo Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typo Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typos Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> --------- Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * :sparkles: broaden job matcher for semantic release (#3506) * feat: broaden job matcher for semantic release Signed-off-by: secustor <sebastian@poxhofer.at> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <sebastian@poxhofer.at> --------- Signed-off-by: secustor <sebastian@poxhofer.at> * :seedling: Bump nick-invision/retry from 2.8.3 to 2.9.0 (#3519) Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0. - [Release notes](https://github.com/nick-invision/retry/releases) - [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js) - [Commits](https://github.com/nick-invision/retry/compare/943e742917ac94714d2f408a0e8320f2d1fcafcd...14672906e672a08bd6eeb15720e9ed3ce869cdd4) --- updated-dependencies: - dependency-name: nick-invision/retry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.92.1 to 0.92.3 (#3528) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.1...v0.92.3) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/otiai10/copy from 1.12.0 to 1.14.0 (#3527) Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](https://github.com/otiai10/copy/compare/v1.12.0...v1.14.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/osv-scanner from 1.4.0 to 1.4.1 (#3536) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.92.3 to 0.93.0 (#3537) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.3...v0.93.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :sparkles: scdiff: Limit generating results to specific checks (#3535) * accept checks arg when generating golden. Signed-off-by: Spencer Schrock <sschrock@google.com> * dont shadow import Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Add probe test utility (#3541) Signed-off-by: AdamKorcz <adam@adalogics.com> * :seedling: Sort fields of raw results alphabetically (#3540) Signed-off-by: AdamKorcz <adam@adalogics.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * :seedling: Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#3544) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/08b4669551908b1024bb425080c797723083c031...483ef80eb98fb506c348f7d62e28055e49fe2398) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (#3545) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0. - [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.93.0 to 0.93.1 (#3546) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.0 to 0.93.1. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.0...v0.93.1) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump distroless/base from `27647a6` to `29da700` and golang from `ec457a2` to `e9ebfe9` (#3548) * bump distroless. Signed-off-by: Spencer Schrock <sschrock@google.com> * bump golang 1.21 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Bump cloud.google.com/go/bigquery from 1.55.0 to 1.56.0 (#3538) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.55.0 to 1.56.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.55.0...bigquery/v1.56.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Add OutcomeNotApplicable (#3539) Signed-off-by: AdamKorcz <adam@adalogics.com> * :sparkles: Add additional fuzzing probes (#3473) * Extend with additional fuzzing probes Signed-off-by: David Korczynski <david@adalogics.com> * fix formatting Signed-off-by: David Korczynski <david@adalogics.com> * cleanup formatting Signed-off-by: David Korczynski <david@adalogics.com> * make skip testing optional Signed-off-by: David Korczynski <david@adalogics.com> * address reviews Signed-off-by: David Korczynski <david@adalogics.com> * add todo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * add swift fuzzing probe Signed-off-by: David Korczynski <david@adalogics.com> * avoid changing OnMatchingFileContentDo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * undo matching file content extension Signed-off-by: David Korczynski <david@adalogics.com> * nit: fix constant Signed-off-by: David Korczynski <david@adalogics.com> * test all fileMatchPatterns per client Signed-off-by: David Korczynski <david@adalogics.com> * fix test logging counts Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> * :book: fix "default" typo (#3543) Signed-off-by: guoguangwu <guoguangwu@magic-shield.com> * :seedling: checks/raw: fix struct alignment linter issue (#3550) Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Add map to Finding (#3558) Signed-off-by: AdamKorcz <adam@adalogics.com> * :seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (#3563) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0. - [Commits](https://github.com/golang/net/compare/v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump golang.org/x/net from 0.14.0 to 0.17.0 in /tools (#3562) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.17.0. - [Commits](https://github.com/golang/net/compare/v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Adding all Intel public GitHub repos (#3556) Signed-off-by: Ryan Ware <ryan.ware@intel.com> * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 (#3551) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3552) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#3557) Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump kubernetes-sigs/kubebuilder-release-tools (#3553) Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/kubebuilder-release-tools/compare/4f3d1085b4458a49ed86918b4b55505716715b77...d8367c29de8af903319d3a76de2436672515729b) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :bug: Fix wrong quotes (#3565) Signed-off-by: AdamKorcz <adam@adalogics.com> * :seedling: Add new outcome to UnmarshalYAML (#3566) Signed-off-by: AdamKorcz <adam@adalogics.com> * :bug: scdiff: fix generate cmd when no --checks arg provided. (#3570) Signed-off-by: Spencer Schrock <sschrock@google.com> * :sparkles: scdiff: improve `compare` usability (#3573) * fallback to cron style when parsing dates. The cron output was never updated in #2712. In the interim, support both formats. Signed-off-by: Spencer Schrock <sschrock@google.com> * continue on first diff, to highlight all differences. Signed-off-by: Spencer Schrock <sschrock@google.com> * tests for date fallback. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :sparkles: Add fast-check test runners integrations (#3568) Signed-off-by: Pierre Cavin <me@sherlox.io> * :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3575) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.7.0...v2.8.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump tj-actions/changed-files from 39.2.1 to 39.2.3 (#3577) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.1 to 39.2.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/db153baf731265ad02cd490b07f470e2d55e3345...95690f9ece77c1740f4a55b7f1de9023ed6b1f87) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/google/ko from 0.14.1 to 0.15.0 in /tools (#3578) Bumps [github.com/google/ko](https://github.com/google/ko) from 0.14.1 to 0.15.0. - [Release notes](https://github.com/google/ko/releases) - [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/ko/compare/v0.14.1...v0.15.0) --- updated-dependencies: - dependency-name: github.com/google/ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump actions/checkout from 4.1.0 to 4.1.1 (#3580) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :bug: SAST detect new GitHub app slug for CodeQL (#3591) * Fix SAST no longer working for CodeQL The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits. Signed-off-by: martincostello <martin@martincostello.com> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <martin@martincostello.com> --------- Signed-off-by: martincostello <martin@martincostello.com> * :seedling: enable the golangci-lint `bugs` preset (#3583) * enable bugs preset Signed-off-by: Spencer Schrock <sschrock@google.com> * fix noctx linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix bodyclose linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix contextcheck linter Signed-off-by: Spencer Schrock <sschrock@google.com> * This ignores all existing cases of musttag linter complaints. This analyzer seems useful in the future, but some of this code is old and I don't want to change it for existing code now. Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore existing nilerr lints. This behavior is from the initial commit, and primarily affects metrics. Leaving as is, and hope to benefit from the linter in the future. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: use forbidigo linter to prevent print statements (#3585) * enable forbidigo for print statements. include reasoning as message exposed to developer. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove or grant exceptions for existing print statements Signed-off-by: Spencer Schrock <sschrock@google.com> * swap stdout to stderr Signed-off-by: Spencer Schrock <sschrock@google.com> * separate msg from regex for better readability. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :bug: scanning gitlab private repositories (#3596) * fix: Run for gitlab private repos Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: gitlab repo is accessible Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> * :seedling: Bump github.com/xanzy/go-gitlab from 0.93.1 to 0.93.2 (#3593) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.1 to 0.93.2. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.1...v0.93.2) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: Bump github.com/onsi/gomega from 1.28.0 to 1.28.1 (#3597) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.0 to 1.28.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.28.0...v1.28.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: add style linters: mirror, tenv, usestdlibvars (#3586) * fix tenv linter and bug with t.Parallel Signed-off-by: Spencer Schrock <sschrock@google.com> * fix usestdlibvars linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix mirror linter Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: enable gomoddirectives linter. (#3584) Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: enable style linter `errname` (#3587) * enable errname linter Signed-off-by: Spencer Schrock <sschrock@google.com> * convert publish err to custom error type. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused exported error. Signed-off-by: Spencer Schrock <sschrock@google.com> * convert unsupported exporter type to custom error type. Signed-off-by: Spencer Schrock <sschrock@google.com> * exempt public errors from linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * exempt cron config errors from linter. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: remove unused osv helper tool. (#3572) This is a followup cleanup of d4b44e52eb9a104949f617a62cf47291d1ea2d99 (#2303). Signed-off-by: Spencer Schrock <sschrock@google.com> * :seedling: Bump github.com/golangci/golangci-lint in /tools (#3592) Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.54.2 to 1.55.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * :seedling: GitLab: track coverage for gitlab e2e tests (#3601) Signed-off-by: Raghav Kaul <raghavkaul@google.com> * :seedling: Add license probe (#3465) * :seedling: Add license probe Signed-off-by: AdamKorcz <adam@adalogics.com> * [WIP] add two remaining license checks as probes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Use Errorf in test Signed-off-by: AdamKorcz <adam@adalogics.com> * use zrunner Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong return value Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues and remove empty default Signed-off-by: AdamKorcz <adam@adalogics.com> * fix double if statement Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove struct field from test Signed-off-by: AdamKorcz <adam@adalogics.com> * Add test for nil-case of license files slice Signed-off-by: AdamKorcz <adam@adalogics.com> * rewrite multiple def.ymls Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Add unit test with multiple unapproved license files Signed-off-by: AdamKorcz <adam@adalogics.com> * Add link to approved license formats Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting Signed-off-by: AdamKorcz <adam@adalogics.com> * remove comment Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve logging from original check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * remove redundant map manipulation Signed-off-by: AdamKorcz <adam@adalogics.com> * rename hasApproveLicense probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license Signed-off-by: AdamKorcz <adam@adalogics.com> * Include license file locations in log Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues Signed-off-by: AdamKorcz <adam@adalogics.com> * replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix linter issue Signed-off-by: AdamKorcz <adam@adalogics.com> * Include location of found license files Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> * 🌱 convert packaging check to probe (#3486) * :seedling: convert packaging check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * amend text in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Correct short description in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * log negative findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements Signed-off-by: AdamKorcz <adam@adalogics.com> * change score text Signed-off-by: AdamKorcz <adam@adalogics.com> * include file details. process all packaging workflows Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> * :seedling: Add probe support for contributors metrics (#3460) * :seedling: Add probe support for cont…
What kind of change does this PR introduce?
This PR broaden the job matcher for semantic release.
That way other execution methods of semantic-release trigger no violation of the TokenPermission check.
What is the current behavior?
Only if semantic-release is executed using npx is detected as valid use of contents write permissions.
What is the new behavior (if this is a feature change)?**
also runs via pnpm and yarn are detected
Which issue(s) this PR fixes
NONE
Special notes for your reviewer
Tested against https://github.com/renovatebot/renovate/blob/main/.github/workflows/build.yml#L577
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)