Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 ensure Signed-Releases only scores 5 releases #3768

Merged
merged 2 commits into from
Jan 3, 2024
Merged

🐛 ensure Signed-Releases only scores 5 releases #3768

merged 2 commits into from
Jan 3, 2024

Conversation

spencerschrock
Copy link
Contributor

What kind of change does this PR introduce?

bug fix

What is the current behavior?

the releasesHaveProvenance was creating too many findings for repos which had more than 5 releases with provenance, which violated an assumption of the Signed-Releases evaluation code

What is the new behavior (if this is a feature change)?**

the releasesHaveProvenance probe only generates 5 releases, and a consistency check was added to the evaluation code

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #3766

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Fixed a bug which allowed some repos to score higher than 10 in the Signed-Releases check.

@spencerschrock
limit provenance probe to 5 releases and check in evaluation code too
9d0ac2b 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
add tests
7aed0fc 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock spencerschrock requested a review from a team as a code owner January 3, 2024 22:21
@spencerschrock spencerschrock requested review from naveensrinivasan and laurentsimon and removed request for a team January 3, 2024 22:21
@codecov Codecov
Copy link

codecov bot commented Jan 3, 2024
edited
Loading

Codecov Report

Merging #3768 (7aed0fc) into main (2bad6e7) will decrease coverage by 5.02%.
The diff coverage is 100.00%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3768      +/-   ##
==========================================
- Coverage   75.91%   70.89%   -5.02%     
==========================================
  Files         229      229              
  Lines       15372    15377       +5     
==========================================
- Hits        11669    10901     -768     
- Misses       2980     3807     +827     
+ Partials      723      669      -54

@spencerschrock
Copy link
Contributor Author

/scdiff generate Signed-Releases

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 3, 2024

Here's a link to the scdiff run

@spencerschrock spencerschrock merged commit 658a77b into ossf:main Jan 3, 2024
41 checks passed
@spencerschrock spencerschrock deleted the bug/signed-releases branch January 3, 2024 22:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

@naveensrinivasan naveensrinivasan Awaiting requested review from naveensrinivasan naveensrinivasan is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

"Signed-Releases" check scores above 10 leading to invalid scores
2 participants
@spencerschrock @laurentsimon