-
Notifications
You must be signed in to change notification settings - Fork 452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show negative results in some check details #98
Conversation
Negative results logged with a "!!" prefix. Updates ossf#95 $ go run . --repo=github.com/ossf/scorecard --show-details --checks=Pull-Requests Starting [Pull-Requests] Finished [Pull-Requests] RESULTS ------- Pull-Requests: Pass 9 !! found commit without PR: 71dace5, committer: dlorenc found PRs for 29 out of 30 commits
Negative results logged with a "!!" prefix. Updates ossf#95 $ go run . --repo=github.com/cilium/cilium --show-details --checks=Signed-Tags Starting [Signed-Tags] Finished [Signed-Tags] RESULTS ------- Signed-Tags: Fail 4 verified tag found: v1.9.0-rc1, commit: a46b5c308779b00676bcbffe6847701984fb7ec7 !! unverified tag found: v1.9.0-rc2, commit: 2ee8e4659ad4050154eb83008ba6434bddad44eb, reason: unsigned verified tag found: v1.9.0-rc3, commit: ee77e846a9b85e318d6d077c801e2615d5e7dbe3 !! unverified tag found: v1.9.0, commit: 1cdd547dce26adb046d117494d559c64007365fd, reason: unsigned verified tag found: v1.9.1, commit: bb4abe1720cb56c6a5f74d0567665555ad8434f1 found 3 of 5 verified tags
Negative results logged with a "!!" prefix. Updates ossf#95 $ go run . --repo=github.com/gohugoio/hugo --show-details --checks=Signed-Releases Starting [Signed-Releases] Finished [Signed-Releases] RESULTS ------- Signed-Releases: Fail 10 release found: v0.79.1 !! release v0.79.1 has no signed artifacts release found: v0.79.0 !! release v0.79.0 has no signed artifacts release found: v0.78.2 !! release v0.78.2 has no signed artifacts release found: v0.78.1 !! release v0.78.1 has no signed artifacts release found: v0.78.0 !! release v0.78.0 has no signed artifacts release found: v0.77.0 !! release v0.77.0 has no signed artifacts found signed artifacts for 0 of 6 releases
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot, minor changes needed.
@@ -61,10 +60,18 @@ func SignedTags(c checker.Checker) checker.CheckResult { | |||
return checker.RetryResult(err) | |||
} | |||
if gt.GetVerification().GetVerified() { | |||
c.Logf("signed tag found: %s, commit: %s", t.Name, sha) | |||
c.Logf("verified tag found: %s, commit: %s", t.Name, sha) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
verified is slightly confusing word, that is why we keep check name as signed. i prefer signed for all of these, thoughts ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the terminology for a repo such as git, as shown below. They're signed but GH can't verify the key, so the check fails. Logging "unsigned tag found" in this scenario is confusing.
I'd like to keep the new "reason" entry in the output either way, but I can change back to "signed" instead of "verified" if you wish.
go run . --repo=github.com/git/git --show-details --checks=Signed-Tags
Starting [Signed-Tags]
Finished [Signed-Tags]
RESULTS
-------
Signed-Tags: Fail 10
!! unverified tag found: v2.29.0, commit: 0c6ff04c974f0aab239e9ba46307e1d1a4904d66, reason: unknown_key
!! unverified tag found: v2.29.1, commit: 6c5034eca4973ae22eee0436e34f9f010895bea3, reason: unknown_key
!! unverified tag found: v2.29.2, commit: 1ec19b7757a1acb11332f06e8e812b505490afc6, reason: unknown_key
!! unverified tag found: v2.30.0-rc0, commit: a8eaf9de52c2d49799d7dc724e688ccbfa74390c, reason: unknown_key
!! unverified tag found: v2.30.0-rc1, commit: cb70effebd91d9e0d4ce81650785e973b5d16ad1, reason: unknown_key
found 0 out of 5 verified tags
Log positive results in Pull-Requests and update log messages in Signed-Releases and Signed-Tags.
I have one commit per check in this PR. See commit messages for more details.
I'd like to get more checks updated, but these are the simple ones.
Updates #95