-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] policies: Add check for scorecard policies #114
Conversation
7b1297a
to
8804f43
Compare
Heh, I copied the SECURITY.md policy and assumed this was a little simpler than it was (roughly a graphql query for some URL). This actually more closely mimics the logic for branch protection.
|
Looking good so far, let me know if you want an early review, or have any questions about anything. |
8804f43
to
6ffb78d
Compare
Turns out scorecard already has a policy for this: https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |
Oh ok, so I actually have a couple of issues with this unfortunately. For Scorecard integration, the initial thought was #22 and that policy would list the names of the checks. A main driver is that we didn't want to be downloading the repo tarball multiple times in Allstar. Also, to share code. However, with the scorecard action that launched, it looks like a better path is #28. This will essentially enforce all checks in scorecard. I do still think we can and should have a dependabot/renovatebot policy in Allstar if we gain anything by having access to the GitHub API, which scorecard does not get. |
05b8c63
to
2e42e85
Compare
FYI scorecard maintainers (@inferno-chromium @laurentsimon @naveensrinivasan @azeemshaikh38) -- I'm working on a refactor of the Opting to work in a temp directory in this PR because:
|
2ef8e35
to
a84ca0a
Compare
I'm not sure I fully understand what this PR in AllStar is trying to achieve. Could you elaborate on:
|
c5a2489
to
cc9921c
Compare
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
cc9921c
to
269b6a7
Compare
Taking over in #240 |
Implements the scorecardDependency Update Tool
check as an Allstar policy.Fixes/ #113Signed-off-by: Stephen Augustus [email protected]