Add GitHub Actions and Pub to the ecosystems list #74
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -382,6 +382,8 @@ The defined ecosystems are: | |
| | `Debian` | The Debian package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Debian release. `<RELEASE>` is a numeric version specified in the [Debian distro-info-data](https://debian.pages.debian.net/distro-info-data/debian.csv). For example, the ecosystem string "Debian:7" refers to the Debian 7 (wheezy) release. | | ||
| | `Hex` | The package manager for the Erlang ecosystem; the `name` is a Hex package name. | | ||
| | `Android` | The Android ecosystem; the `name` field is the Android component name that the patch applies to, as shown in the [Android Security Bulletins](https://source.android.com/security/bulletin) such as `Framework`, `Media Framework` and `Kernel Component`. The exhaustive list of components can be found at the [Appendix](#android-ecosystem-components). | | ||
| | `GitHub Actions` | The GitHub Actions ecosystem; the `name` field is an action name. | | ||
| | `Pub` | The package manager for the Dart ecosystem; the `name` field is a Dart package name. | | ||
|
There was a problem hiding this comment. @jonasfj Does this seem good to you? Are there any normalization rules etc for Pub packages? There was a problem hiding this comment. This looks solid to me. There is some corner case around custom pub repositories. But that's probably solved with a |
||
| | Your ecosystem here. | [Send us a PR](https://github.com/ossf/osv-schema/compare). | | ||
|
|
||
| It is permitted for a database name (the DB prefix in the `id` field) and an | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any other rules for how this name should be formated?
Is it a string such as "google/clusterfuzzlite/actions/build_fuzzers" ? (No @ part?). It may be helpful to clarify this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback! We've added some more info for clarity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot! Sorry one more question -- would it make sense for this to be
owner/repo/pathwherepathis optional? Or is the granularity going to be at the repo level?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, and one that we had ourselves. We synced with the Actions team on this and determined it was best to leave it as
owner/repoto better align with the direction that Actions are headed, and Actions that currently followowner/repo/pathcan have path captured at the repo levelThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack, thanks!