-
Notifications
You must be signed in to change notification settings - Fork 496
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Fix Branch-Protection scoring #3251
Merged
spencerschrock
merged 5 commits into
ossf:main
from
gabibguti:fix/branch-protection-score
Jul 18, 2023
Merged
🐛 Fix Branch-Protection scoring #3251
spencerschrock
merged 5 commits into
ossf:main
from
gabibguti:fix/branch-protection-score
Jul 18, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
gabibguti
requested review from
azeemshaikh38,
justaugustus,
laurentsimon,
naveensrinivasan,
spencerschrock and
raghavkaul
as code owners
July 7, 2023 20:50
gabibguti
temporarily deployed
to
integration-test
July 7, 2023 20:51
— with
GitHub Actions
Inactive
laurentsimon
reviewed
Jul 7, 2023
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
gabibguti
temporarily deployed
to
integration-test
July 10, 2023 12:30
— with
GitHub Actions
Inactive
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3251 +/- ##
===========================================
- Coverage 72.30% 60.85% -11.46%
===========================================
Files 168 168
Lines 12617 12625 +8
===========================================
- Hits 9123 7683 -1440
- Misses 2990 4521 +1531
+ Partials 504 421 -83 |
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
gabibguti
temporarily deployed
to
integration-test
July 17, 2023 19:28
— with
GitHub Actions
Inactive
spencerschrock
approved these changes
Jul 17, 2023
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
gabibguti
temporarily deployed
to
integration-test
July 17, 2023 22:26
— with
GitHub Actions
Inactive
spencerschrock
temporarily deployed
to
integration-test
July 18, 2023 17:22
— with
GitHub Actions
Inactive
andrelmbackman
pushed a commit
to nokia/scorecard
that referenced
this pull request
Jul 26, 2023
* fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: André Backman <andre.backman@nokia.com>
ashearin
pushed a commit
to kgangerlm/scorecard-gitlab
that referenced
this pull request
Nov 13, 2023
* fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
raghavkaul
added a commit
that referenced
this pull request
Jan 26, 2024
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.18.2...v1.19.1) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * begin implementing probe: minTwoCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe directory: minimumCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe CodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename import for CodeReviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers implementation; fixed embed FS usage Signed-off-by: André Backman <andre.backman@nokia.com> * printing all findings, work out where to concatenate them Signed-off-by: André Backman <andre.backman@nokia.com> * concatenated findings to one single finding, outcome is based on the least found unique reviewers Signed-off-by: André Backman <andre.backman@nokia.com> * refactored uniqueCodeReviewers probe, needs more error checks Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * rename unique code reviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Delete code_review.go utilities moved utility functions to the impl.go they are used in Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Included unit tests (#3242) - Included unit tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0. - [Commits](golang/oauth2@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Update Branch-Protection admin and non-admin requirements (#2772) * docs: Branch protection admin-only requirements Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Branch protection requirements by tier Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: How get a perfect score in branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix local images ref in doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix typo Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix check specific table of contents Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Code owners setting is non admin Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix branch protection applied not only to main branch Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Add alt text for images Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: You can get a perfect score with non admin access Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update max tier scores Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update tier 1 max points explanation Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Move changes to internal checks doc Move changes done in docs/checks.md to docs/checks/internal/checks.yaml. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Revert changes on checks doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix admin settings evaluated on branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change branch protection model status checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change tiers score to expected score The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix Tier 3 score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Linter workflow cleanup (#3247) * Fix linter timeout by renaming deprecated deadline. Signed-off-by: Spencer Schrock <sschrock@google.com> * Disable depguard linter. As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * Move linter into own workflow. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix bash command substitution. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add harden runner. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch names to existing linter job Signed-off-by: Spencer Schrock <sschrock@google.com> * Update golangci-lint to v1.53.3 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@54849de...87e23c4) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3252) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.19.1...v1.19.2) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve rate limit handling in roundtripper (#3237) - Add rate limit testing and handling functionality - Add tests for successful response and Retry-After header set scenarios Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (#3259) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@87e23c4...1f20fb8) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (#3260) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (#3248) * add urls for opentelemetry and micrometer Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * add jakarta-activation url Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * adding json-path Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * fix uing make Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> --------- Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Add npm installs to Pinned-Dependencies score (#2960) * feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (#3264) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.11.6...v0.12.0) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Ack linter warning and add tracking issue. (#3263) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Forgive job-level permissions (#3162) * Forgive all job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update tests Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace magic number Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Rename test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Test that multiple job-level permissions are forgiven Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Drop unused permissionIsPresent Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update documentation Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Modify score descriptions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Document warning for job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * List job-level permissions that get WARNed Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Fix typo (#3267) Signed-off-by: Eugene Kliuchnikov <eustas@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Suggest new score viewer on badge documentation (#3268) * docs(readme): suggest new score viewer on badge documentation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(readme): add link to ossf blogpost about the badge Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs: update badge of our own README to the new viewer Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (#3266) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@1f20fb8...2a968ff) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Update the cover profile for e2e (#3271) - Update the cover profile for e2e Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve e2e workflow tests (#3273) - Add e2e test for workflow runs - Retrieve successful runs of the scorecard-analysis.yml workflow Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Excluded dependabot from codecov (#3272) - Exclude dependabot from codecov job in main.yml [.github/workflows/main.yml] - Exclude dependabot from codecov job Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Increase test coverage for searching commits (#3276) - Add an e2e test for searching commits by author - Search commits by author `dependabot[bot]` and expect results Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Fix Branch-Protection scoring (#3251) * fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * ✨ scdiff: generate cmd skeleton (#3275) * add scdiff root command Signed-off-by: Spencer Schrock <sschrock@google.com> * Add generate boilerplate. Signed-off-by: Spencer Schrock <sschrock@google.com> * get rid of init Signed-off-by: Spencer Schrock <sschrock@google.com> * read newline delimitted repo file Signed-off-by: Spencer Schrock <sschrock@google.com> * Run scorecard and echo results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add license Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic runner tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add Runner comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch to using scorecard logger. Signed-off-by: Spencer Schrock <sschrock@google.com> * linter fix Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Delete unused project-update functionality. (#3269) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (#3280) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@2a968ff...3928317) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (#3281) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.5...v1.3.6) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (#3284) Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.30.0...v0.32.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Include attestor Dockerfile in CI and dependabot updates (#3285) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@3928317...de0eba3) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump google-appengine/debian11 in /attestor Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`. --- updated-dependencies: - dependency-name: google-appengine/debian11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.86.0...v0.88.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Use a matrix for docker image building (#3290) * working matrix. Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove unneeded env vars. Add comments. Signed-off-by: Spencer Schrock <sschrock@google.com> * minor syntax change. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve e2e workflow tests (#3282) - Ensure that only head queries are supported in workflow tests - Add a test to detect when a non-existent workflow file is used [e2e/workflow_test.go] - Add a test to check that only head queries are supported - Add a test to check that a non-existent workflow file returns an error Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Use a matrix for when building binaries in main.yml (#3291) * Use matrix for build jobs. Signed-off-by: Spencer Schrock <sschrock@google.com> * These build targets dont seem to need protoc. This lets us save the API quota. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Fix hanging docker jobs for doc only changes. (#3292) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Add contributor ladder (#3246) * Add contributor ladder Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Clarify sponsorship Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Hope for retirement warning Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * 1 maintainer can sponsor a community member Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Apply suggestions from code review Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Consolidate GitLab e2e workflows. (#3278) * Move gitlab to different workflow to parallelize. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add missing versions. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Add separate cache for long-running tests (#3293) * Add separate cache for unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * share cache with gitlab tests too. Signed-off-by: Spencer Schrock <sschrock@google.com> * share cache with github integration tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * explicitly download modules in unit test job Signed-off-by: Spencer Schrock <sschrock@google.com> * checkout needs to be before the go.mod is read. Signed-off-by: Spencer Schrock <sschrock@google.com> * checkout needs to be before the go.sum files are hashed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#3297) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.7.0...v5.8.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (#3298) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.8...v1.27.9) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve search commit e2e tests (#3295) - Add 2 tests for searching commits in e2e/searchCommits_test.go - Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist [e2e/searchCommits_test.go] - Add 2 tests for searching commits - Fix error when not using HEAD - Fix error when user does not exist Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 update docs for webhooks documentation (#3299) * update docs for webhooks documentation Signed-off-by: leec94 <leec94@bu.edu> * change webhook severity in readme Signed-off-by: leec94 <leec94@bu.edu> --------- Signed-off-by: leec94 <leec94@bu.edu> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Unit tests OSSFuzz client (#3301) * 🌱 Unit tests OSSFuzz client - Included tests for IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages, Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Improve OSSFuzz client tests [clients/ossfuzz/client_test.go] - Add a test for the `GetCreatedAt` method - Fix the `URI` method to return the correct value Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Ensure check markdown is kept in sync with source yaml. (#3300) * Ensure check markdown is kept in sync with check yaml. Signed-off-by: Spencer Schrock <sschrock@google.com> * change generate-docs target to detect changes to docs/checks.md directly. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <andre.backman@nokia.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update go.mod, aligned imports Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * change EOL = CRLF to LF Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling in case of no changesets Signed-off-by: André Backman <andre.backman@nokia.com> * completed tests for code-review probes Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReview probes and utils Signed-off-by: André Backman <andre.backman@nokia.com> * fixed some lint errors, check for more Signed-off-by: André Backman <andre.backman@nokia.com> * fixed lint issues Signed-off-by: André Backman <andre.backman@nokia.com> * fix lint errors Signed-off-by: André Backman <andre.backman@nokia.com> * add test for multiple reviews with only one unique reviewer Signed-off-by: André Backman <andre.backman@nokia.com> * simplify func uniqueReviewers, use map[string]bool Signed-off-by: André Backman <andre.backman@nokia.com> * fix linting error Signed-off-by: André Backman <andre.backman@nokia.com> * moved probe tests to their own function Signed-off-by: André Backman <andre.backman@nokia.com> * fix comment syntax Signed-off-by: André Backman <andre.backman@nokia.com> * gci-ed files to fix linter errors Signed-off-by: André Backman <andre.backman@nokia.com> * implement change to skip bot-authored changesets that are reviewed/approved Signed-off-by: André Backman <andre.backman@nokia.com> * rewrite finding message Signed-off-by: André Backman <andre.backman@nokia.com> * fix output message; do not count the number of approved bot-authored changesets Signed-off-by: André Backman <andre.backman@nokia.com> * fix typos Signed-off-by: André Backman <andre.backman@nokia.com> * moved probe tests to their corresponding location Signed-off-by: André Backman <andrebackmann@gmail.com> * removed redundant probe codeReviewed Signed-off-by: André Backman <andrebackmann@gmail.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeReviewOneReviewers/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Lint Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Eugene Kliuchnikov <eustas@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: leec94 <leec94@bu.edu> Signed-off-by: André Backman <andrebackmann@gmail.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: André Backman <andre.backman@nokia.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Co-authored-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Ajmal Kottilingal <90693406+ajmalab@users.noreply.github.com> Co-authored-by: Pedro Nacht <pnacht@google.com> Co-authored-by: Eugene Kliuchnikov <eustas@google.com> Co-authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: Caroline <leec94@bu.edu> Co-authored-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Co-authored-by: gowriNSN <143079242+gowriNSN@users.noreply.github.com> Co-authored-by: Raghav Kaul <raghavkaul@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Fix Branch-Protection scoring.
What is the current behavior?
We score 1 wrong point verifying if branch is required to be up to date before merge. We retrieve this info from GitHub GraphQL API checking if
RequiresStrictStatusChecks
setting is enabled. However, this setting comes wrong due a bug https://github.com/orgs/community/discussions/59471, messing up the Tiers scoring.What is the new behavior (if this is a feature change)?**
We have a workaround that verifies first if both
RequiresStatusChecks
andRequiresStatusChecks
settings are enabled. Meaning we verify if the branch requires status checks to merge, to then verify if between those checks it requires branches to be up to date. If the branch does not require status checks to merge, then it cannot require branches to be up to date.Which issue(s) this PR fixes
Fixes #3250
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)