Skip to content

Commit

Permalink
Merge branch 'main' into docs-signedreleases-3439
Browse files Browse the repository at this point in the history
  • Loading branch information
raghavkaul authored Oct 2, 2023
2 parents 75032e9 + 7034306 commit 4be3436
Show file tree
Hide file tree
Showing 67 changed files with 3,222 additions and 1,139 deletions.
9 changes: 4 additions & 5 deletions .codecov.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,15 @@ coverage:
status:
project:
default:
enabled: true
# allowed to drop coverage and still result in a "success" commit status
threshold: null
informational: true
if_not_found: success
if_no_uploads: success
if_ci_failed: error
patch:
default:
enabled: true
threshold: 90%
# patch coverage should be within 10% of existing coverage
target: auto
threshold: 10%
if_not_found: success
if_no_uploads: success
if_ci_failed: error
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/depsreview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@f6fff72a3217f580d5afd49a46826795305b63c7
uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034
6 changes: 3 additions & 3 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ jobs:
docs_only: ${{ steps.docs_only_check.outputs.docs_only }}
steps:
- name: Check out code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0
with:
fetch-depth: 2 # needed to diff changed files
- id: files
name: Get changed files
uses: tj-actions/changed-files@48566bbcc22ceb7c5809ebdd27377309f2c3de8c #v39.0.0
uses: tj-actions/changed-files@41960309398d165631f08c5df47a11147e14712b #v39.1.2
with:
files_ignore: '**.md'
- id: docs_only_check
Expand Down Expand Up @@ -75,7 +75,7 @@ jobs:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
if: (needs.docs_only_check.outputs.docs_only != 'true')
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker
if: (needs.docs_only_check.outputs.docs_only != 'true')
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/gitlab.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }} # head SHA if PR, else fallback to push SHA
- name: Setup Go
Expand All @@ -52,7 +52,7 @@ jobs:
echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
- name: Cache builds
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 #v3.3.1
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with:
path: |
${{ steps.go-cache-paths.outputs.go-build }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Set up Go
Expand All @@ -52,7 +52,7 @@ jobs:
run: echo "version_flags=$(./scripts/version-ldflags)" >> "$GITHUB_OUTPUT"
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v2.5.0
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v2.5.0
with:
version: latest
args: release --rm-dist
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Setup Go
Expand All @@ -63,7 +63,7 @@ jobs:
echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
- name: Cache builds
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 #v3.3.1
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with:
path: |
${{ steps.go-cache-paths.outputs.go-build }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GO_VERSION }}
Expand Down
28 changes: 14 additions & 14 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
Expand All @@ -54,7 +54,7 @@ jobs:
echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
- name: Cache builds
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 #v3.3.1
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with:
path: |
${{ steps.go-cache-paths.outputs.go-build }}
Expand Down Expand Up @@ -106,7 +106,7 @@ jobs:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Cache builds
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: |
~/go/pkg/mod
Expand All @@ -117,7 +117,7 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Setup Go
Expand Down Expand Up @@ -147,7 +147,7 @@ jobs:
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
Expand Down Expand Up @@ -182,7 +182,7 @@ jobs:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Setup Go
Expand Down Expand Up @@ -226,7 +226,7 @@ jobs:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Cache builds
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: |
~/go/pkg/mod
Expand All @@ -237,7 +237,7 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
Expand Down Expand Up @@ -266,7 +266,7 @@ jobs:

- name: Cache builds
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: |
~/go/pkg/mod
Expand All @@ -277,7 +277,7 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Setup Go
Expand Down Expand Up @@ -313,7 +313,7 @@ jobs:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Cache builds
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: |
~/go/pkg/mod
Expand All @@ -324,7 +324,7 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Setup Go
Expand Down Expand Up @@ -359,7 +359,7 @@ jobs:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Setup Go
Expand Down Expand Up @@ -388,7 +388,7 @@ jobs:
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
with:
go-version: ${{ env.GO_VERSION }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publishimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Clone the code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Setup Go
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

- name: "Run analysis"
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
Expand All @@ -40,7 +40,7 @@ jobs:
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
# Optional.
- name: "Upload artifact"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: SARIF file
path: results.sarif
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/slsa-goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
go-binary-name: ${{ steps.build.outputs.go-binary-name }}
steps:
- id: checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- id: ldflags
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v3.0.18
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'Stale issue message'
stale-issue-message: 'This issue is stale because it has been open for 60 days with no activity.'
stale-pr-message: 'Stale pull request message'
stale-issue-label: 'no-issue-activity'
exempt-issue-labels: 'priority,bug,good first issue'
Expand All @@ -43,3 +43,5 @@ jobs:
days-before-pr-stale: '10'
days-before-pr-close: '20'
days-before-issue-stale: '60'
days-before-issue-close: -1
operations-per-run: '100'
16 changes: 14 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# OpenSSF Scorecard

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5621/badge)](https://www.bestpractices.dev/projects/5621)
![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main)
![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main)
[![Go Reference](https://pkg.go.dev/badge/github.com/ossf/scorecard/v4.svg)](https://pkg.go.dev/github.com/ossf/scorecard/v4)
Expand All @@ -16,6 +16,7 @@

- [What Is Scorecard?](#what-is-scorecard)
- [Prominent Scorecard Users](#prominent-scorecard-users)
- [View a Project's Score](#view-a-projects-score)
- [Scorecard's Public Data](#public-data)

## Using Scorecard
Expand Down Expand Up @@ -91,6 +92,17 @@ metrics. Prominent projects that use Scorecard include:
- [sos.dev](https://sos.dev)
- [deps.dev](https://deps.dev)

### View a Project's Score

To see scores for projects regually scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name:
https://securityscorecards.dev/viewer/?uri=<github_or_gitlab>.com/<user_name_or_org>/<repository_name>.

For example:
- [https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
- [https://securityscorecards.dev/viewer/?uri=gitlab.com/fdroid/fdroidclient](https://securityscorecards.dev/viewer/?uri=gitlab.com/fdroid/fdroidclient)

To view scores for projects not included in the webviewer, use the [Scorecard CLI](#scorecard-command-line-interface).

### Public Data

We run a weekly Scorecard scan of the 1 million most critical open source
Expand Down Expand Up @@ -472,7 +484,7 @@ Name | Description | Risk Level | Token Req
[Binary-Artifacts](docs/checks.md#binary-artifacts) | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | Supported |
[Branch-Protection](docs/checks.md#branch-protection) | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? | High | PAT (`repo` or `repo> public_repo`), GITHUB_TOKEN | Supported (see notes) | certain settings are only supported with a maintainer PAT
[CI-Tests](docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? | Low | PAT, GITHUB_TOKEN | Supported
[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating |
[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating |
[Code-Review](docs/checks.md#code-review) | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating |
[Contributors](docs/checks.md#contributors) | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating |
[Dangerous-Workflow](docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported |
Expand Down
Loading

0 comments on commit 4be3436

Please sign in to comment.