🐛 Fix signed release error for empty gitlab repo

[naveensrinivasan]

What kind of change does this PR introduce?

• Fixed the issue where an empty gitlab repo is causing this error. Error: check runtime error: Signed-Releases: internal error: could not get release name 2023/12/27 18:07:19 error during command execution: check runtime error: Signed-Releases: internal error: could not get release name exit status 1

(Is it a bug fix, feature, docs update, something else?)

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

What is the new behavior (if this is a feature change)?**

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

[codecov]

Codecov Report

Merging #3753 (d4be15a) into main (a34f0bf) will increase coverage by 4.07%.
Report is 1 commits behind head on main.
The diff coverage is 57.14%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3753      +/-   ##
==========================================
+ Coverage   66.83%   70.90%   +4.07%     
==========================================
  Files         227      227              
  Lines       15356    15353       -3     
==========================================
+ Hits        10263    10886     +623     
+ Misses       4486     3802     -684     
- Partials      607      665      +58     

[spencerschrock]

As part of our structured result works, we try to use the finding outcomes when determining things like "no releases".

In this case, the convention is a single finding with OutcomeNotApplicable.

scorecard/probes/releasesAreSigned/def.yml

Lines 16 to 24 in 5d8767e

	short: Check that the projects Github and Gitlab releases are signed.
	motivation: >
	Signed releases allow consumers to verify their artifacts before consuming them.
	implementation: >
	The implementation checks whether a signature file is present in release assets. The probe checks the last 5 releases on Github and Gitlab.
	outcome:
	- For each of the last 5 releases, the probe returns OutcomePositive, if the release has a signature file in the release assets.
	- For each of the last 5 releases, the probe returns OutcomeNegative, if the the release does not have a signature file in the release assets.
	- If the project has no releases, the probe returns OutcomeNotApplicable.

[naveensrinivasan]

@spencerschrock Let me know if this is good.

[spencerschrock]

I think moving the if f.Outcome == finding.OutcomeNotApplicable block up is all that was needed.

I'm fine with the getReleaseName function signature changes, but still think not having a release name should be considered an error as it would indicate a programming mistake on our side, not anything wrong with the repo.

[spencerschrock]

/scdiff generate Signed-Releases

(just a tool to help visualize changes across 15 test repos)

[github-actions]

Here's a link to the scdiff run

[naveensrinivasan]

I think moving the if f.Outcome == finding.OutcomeNotApplicable block up is all that was needed.

I'm fine with the getReleaseName function signature changes, but still think not having a release name should be considered an error as it would indicate a programming mistake on our side, not anything wrong with the repo.

Thanks