-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GitHub Actions and Pub to the ecosystems list #74
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -382,6 +382,8 @@ The defined ecosystems are: | |
| `Debian` | The Debian package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Debian release. `<RELEASE>` is a numeric version specified in the [Debian distro-info-data](https://debian.pages.debian.net/distro-info-data/debian.csv). For example, the ecosystem string "Debian:7" refers to the Debian 7 (wheezy) release. | | ||
| `Hex` | The package manager for the Erlang ecosystem; the `name` is a Hex package name. | | ||
| `Android` | The Android ecosystem; the `name` field is the Android component name that the patch applies to, as shown in the [Android Security Bulletins](https://source.android.com/security/bulletin) such as `Framework`, `Media Framework` and `Kernel Component`. The exhaustive list of components can be found at the [Appendix](#android-ecosystem-components). | | ||
| `GitHub Actions` | The GitHub Actions ecosystem; the `name` field is an action name. | | ||
| `Pub` | The package manager for the Dart ecosystem; the `name` field is a Dart package name. | | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jonasfj Does this seem good to you? Are there any normalization rules etc for Pub packages? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This looks solid to me. There is some corner case around custom pub repositories. But that's probably solved with a |
||
| Your ecosystem here. | [Send us a PR](https://github.com/ossf/osv-schema/compare). | | ||
|
||
It is permitted for a database name (the DB prefix in the `id` field) and an | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any other rules for how this name should be formated?
Is it a string such as "google/clusterfuzzlite/actions/build_fuzzers" ? (No @ part?). It may be helpful to clarify this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback! We've added some more info for clarity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot! Sorry one more question -- would it make sense for this to be
owner/repo/path
wherepath
is optional? Or is the granularity going to be at the repo level?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, and one that we had ourselves. We synced with the Actions team on this and determined it was best to leave it as
owner/repo
to better align with the direction that Actions are headed, and Actions that currently followowner/repo/path
can have path captured at the repo levelThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack, thanks!