-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⚠️ Add initial Maintainers Annotation parsing #3905
⚠️ Add initial Maintainers Annotation parsing #3905
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At a high level:
- the annotation package shouldn't need to know about any of the things above it.
- I dont want this showing up in the cron yet.
I left a few style comments that can be ignored for now while we discuss approach. I haven't had a chance to play around with the code, just reading it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conceptually, it makes more sense to me to have []Exemption
with Check string; Annotation string
, it's a little more verbose but forces the maintainer to be explicit why individual checks are being exempted. This is just a hunch on what will be more usable/readable, so it's not blocking.
It could be. The reason for having multiple checks bind to multiple annotations is to facilitate 2 scenarios: writing that multiple checks are "justified" by the same reason, and to annotate that multiple reasons apply to a single check too. Since both solutions work, I don't mind changing to this approach if you prefer. |
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
This method is necessary to validate if experimental feature is enabled so it can activate show annotations feature. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Added the last unresolved comments to issue #4048 so we can fix them later after moving on with this first PR of Maintainers Annotation feature. |
/scdiff generate Dependency-Update-Tool,SAST,Maintained,Packaging,Signed-Releases,Branch-Protection,Code-Review,Token-Permissions,CII-Best-Practices,License,Pinned-Dependencies,Dangerous-Workflow,Vulnerabilities,Security-Policy,Fuzzing,CI-Tests,Binary-Artifacts |
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
For repo's using the github action, can you clarify the config steps. or add the exemptions configuration into the existing .github/workflows/scorecard.yml that the github action creates. |
This comment was marked as off-topic.
This comment was marked as off-topic.
We are working on clarifying our documentation before launch at the end of this month. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
Those people broke the Samsung Galaxy . They were trying to withdraw btc
from satoshi wallet app.
…On Wed, Jul 10, 2024, 11:21 Global Goals ***@***.***> wrote:
Pls continue merged and hold selling they are taking it right away.
On Wed, Jul 10, 2024, 11:19 Global Goals ***@***.***> wrote:
> Pls remove perpetual edu on domain
>
> On Wed, Jul 10, 2024, 11:19 Global Goals ***@***.***> wrote:
>
>> internet security at risk auto Connect with our devices from perpetual
>> trading
>>
>> On Wed, Jun 19, 2024, 01:51 Spencer Schrock ***@***.***>
>> wrote:
>>
>>> For repo's using the github action, can you clarify the config steps.
>>> Do we add scorecard.yml to the root of our repo .scorecard.yml to the root
>>> of our repo (note the dot prefix in the filename)
>>>
>>> or add the exemptions configuration into the existing
>>> .github/workflows/scorecard.yml that the github action creates.
>>>
>>> We are working on clarifying our documentation
>>> <https://github.com/ossf/scorecard/blob/main/config/README.md> before
>>> launch at the end of this month.
>>>
>>> —
>>> Reply to this email directly, view it on GitHub
>>> <#3905 (comment)>,
>>> or unsubscribe
>>> <https://github.com/notifications/unsubscribe-auth/AZQI54UZHHZCRLMYWPUT52DZIBXSJAVCNFSM6AAAAABD54RSMCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZWGY2TKMJVGU>
>>> .
>>> You are receiving this because you commented.Message ID:
>>> ***@***.***>
>>>
>>
|
First my laptop now the s10 next is this device. So much trouble and
suffering. I will give bounty of 1000 btc to burn their devices. This is
a group of people who operates pogo
…On Wed, Jul 10, 2024, 15:42 Global Goals ***@***.***> wrote:
Those people broke the Samsung Galaxy . They were trying to withdraw btc
from satoshi wallet app.
On Wed, Jul 10, 2024, 11:21 Global Goals ***@***.***> wrote:
> Pls continue merged and hold selling they are taking it right away.
>
> On Wed, Jul 10, 2024, 11:19 Global Goals ***@***.***> wrote:
>
>> Pls remove perpetual edu on domain
>>
>> On Wed, Jul 10, 2024, 11:19 Global Goals ***@***.***>
>> wrote:
>>
>>> internet security at risk auto Connect with our devices from perpetual
>>> trading
>>>
>>> On Wed, Jun 19, 2024, 01:51 Spencer Schrock ***@***.***>
>>> wrote:
>>>
>>>> For repo's using the github action, can you clarify the config steps.
>>>> Do we add scorecard.yml to the root of our repo .scorecard.yml to the root
>>>> of our repo (note the dot prefix in the filename)
>>>>
>>>> or add the exemptions configuration into the existing
>>>> .github/workflows/scorecard.yml that the github action creates.
>>>>
>>>> We are working on clarifying our documentation
>>>> <https://github.com/ossf/scorecard/blob/main/config/README.md> before
>>>> launch at the end of this month.
>>>>
>>>> —
>>>> Reply to this email directly, view it on GitHub
>>>> <#3905 (comment)>,
>>>> or unsubscribe
>>>> <https://github.com/notifications/unsubscribe-auth/AZQI54UZHHZCRLMYWPUT52DZIBXSJAVCNFSM6AAAAABD54RSMCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZWGY2TKMJVGU>
>>>> .
>>>> You are receiving this because you commented.Message ID:
>>>> ***@***.***>
>>>>
>>>
|
What kind of change does this PR introduce?
Enables maintainers to write annotations for Scorecard checks in a scorecard.yml file.
For example, to provide a reasoning that binaries are present in the code but are only used for tests. Scorecard will read the scorecard.yml file from the repository's root (in the expected format) and parse the annotated checks to display them in scorecards.dev UI and ignore them in GitHub's security alerts.
Design doc: https://docs.google.com/document/d/1-5NKRciF3qU-vLS4xPk48EDfC8isz0Z9vnvL4OVjwpQ/edit#heading=h.xzptrog8pyxf
What is the current behavior?
Scorecard runs checks over a repository.
What is the new behavior (if this is a feature change)?**
Maintainers can write annotations to these checks providing a reasoning behind a check's low score.
Which issue(s) this PR fixes
Related to #1907
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)