Merge branch 'main' into gitlab-cron

.github/workflows/docker.yml

@@ -42,7 +42,7 @@ jobs:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@54479c37f5eb47a43e595c6b71e1df2c112ce7f1 #v36.4.1
+      uses: tj-actions/changed-files@bb3376162b179308a79fc4450262a15a8e1d6888 #v37.0.4
       with:
         files_ignore: '**.md'
     - id: docs_only_check

.github/workflows/publishimage.yml

@@ -58,7 +58,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9
+       uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06
      - name: Sign image
        run: |
           cosign sign --yes ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}

.github/workflows/scorecard-analysis.yml

@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
         with:
           results_file: results.sarif
           results_format: sarif

Makefile

@@ -341,7 +341,7 @@ e2e-pat: build-scorecard check-env | $(GINKGO)
 e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to default GITHUB_TOKEN
 e2e-gh-token: build-scorecard check-env | $(GINKGO)
 	# Run e2e tests. GITHUB_AUTH_TOKEN set to secrets.GITHUB_TOKEN must be used to run this.
-	TOKEN_TYPE="GITHUB_TOKEN" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
+	GITLAB_AUTH_TOKEN="" TOKEN_TYPE="GITHUB_TOKEN" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
 
 e2e-gitlab-token: ## Runs e2e tests that require a GITLAB_TOKEN
 e2e-gitlab-token: build-scorecard check-env-gitlab | $(GINKGO)

clients/githubrepo/roundtripper/tokens/round_robin_test.go

@@ -0,0 +1,48 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package tokens
+
+import (
+	"testing"
+)
+
+//golint:paralleltest
+func TestNext(t *testing.T) {
+	tokens := []string{"token1", "token2", "token3", "token4", "token5"}
+	rr := makeRoundRobinAccessor(tokens)
+
+	tests := []struct {
+		name      string
+		releaseID *uint64 // nil if no token is released
+		want      string
+	}{
+		{"First call", nil, "token2"},
+		{"Second call", nil, "token3"},
+		{"Third call", nil, "token4"},
+		{"Fourth call", nil, "token5"},
+		{"After release", func() *uint64 { v := uint64(0); return &v }(), "token1"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.releaseID != nil {
+				rr.Release(*tt.releaseID)
+			}
+			_, got := rr.Next()
+			if got != tt.want {
+				t.Errorf("Next() = %s, want %s", got, tt.want)
+			}
+		})
+	}
+}

clients/githubrepo/roundtripper/tokens/rpc_test.go

@@ -0,0 +1,77 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package tokens
+
+import "testing"
+
+// mockTokenAccessor implements TokenAccessor for testing.
+type mockTokenAccessor struct {
+	tokens  []string
+	counter uint64
+}
+
+// Next implements TokenAccessor.Next.
+func (m *mockTokenAccessor) Next() (uint64, string) {
+	if len(m.tokens) == 0 {
+		return 0, ""
+	}
+	token := m.tokens[0]
+	m.tokens = m.tokens[1:]
+	m.counter++
+	return m.counter, token
+}
+
+// Release implements TokenAccessor.Release.
+func (m *mockTokenAccessor) Release(id uint64) {
+	// No-op for mock.
+}
+
+// NewMockTokenAccessor creates a new mockTokenAccessor.
+func newMockTokenAccessor(tokens []string) *mockTokenAccessor {
+	return &mockTokenAccessor{
+		tokens: tokens,
+	}
+}
+
+func TestTokenOverRPC_Next(t *testing.T) {
+	mockClient := newMockTokenAccessor([]string{"token1", "token2", "token3"})
+	rpc := NewTokenOverRPC(mockClient)
+	token := &Token{}
+	x := struct{}{}
+	err := rpc.Next(x, token)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if token.Value != "token1" {
+		t.Fatalf("unexpected token: %s", token.Value)
+	}
+	err = rpc.Next(x, token)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if token.Value != "token2" {
+		t.Fatalf("unexpected token: %s", token.Value)
+	}
+}
+
+func TestTokenOverRPC_Release(t *testing.T) {
+	mockClient := newMockTokenAccessor([]string{"token1", "token2", "token3"})
+	rpc := NewTokenOverRPC(mockClient)
+
+	var reply struct{}
+	err := rpc.Release(2, &reply)
+	if err != nil {
+		t.Errorf("Expected no error, got %v", err)
+	}
+}

clients/gitlabrepo/commits_e2e_test.go

@@ -0,0 +1,75 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gitlabrepo
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+type tokenType int
+
+const (
+	patTokenType tokenType = iota
+	githubWorkflowDefaultTokenType
+	gitlabPATTokenType
+)
+
+var tokType tokenType
+
+func skipIfTokenIsNot(t tokenType, msg string) {
+	if tokType != t {
+		Skip(msg)
+	}
+}
+
+var _ = BeforeSuite(func() {
+	tt := os.Getenv("TOKEN_TYPE")
+	switch tt {
+	case "PAT":
+		tokType = patTokenType
+	case "GITHUB_TOKEN":
+		tokType = githubWorkflowDefaultTokenType
+	case "GITLAB_PAT":
+		tokType = gitlabPATTokenType
+	default:
+		panic(fmt.Sprintf("invalid TOKEN_TYPE: %s", tt))
+	}
+})
+
+var _ = Describe("E2E TEST: gitlabrepo.commitsHandler", func() {
+	Context("ListCommits", func() {
+		It("Checks whether commits are listed - GitLab", func() {
+			skipIfTokenIsNot(patTokenType, "PAT only")
+			repo, err := MakeGitlabRepo("https://gitlab.com/baserow/baserow")
+			Expect(err).Should(BeNil())
+
+			client, err := CreateGitlabClient(context.Background(), repo.Host())
+			Expect(err).Should(BeNil())
+
+			err = client.InitRepo(repo, "8a38c9f724c19b5422e27864a108318d1f769b8a", 20)
+			Expect(err).Should(BeNil())
+
+			c, err := client.ListCommits()
+			Expect(err).Should(BeNil())
+
+			Expect(len(c)).Should(BeNumerically(">", 0))
+		})
+	})
+})

clients/gitlabrepo/commits_test.go

@@ -15,54 +15,9 @@
 package gitlabrepo
 
 import (
-	"context"
 	"testing"
 )
 
-func Test_Setup(t *testing.T) {
-	t.Parallel()
-	tcs := []struct {
-		name    string
-		repourl string
-		commit  string
-		depth   int
-	}{
-		{
-			name:    "check that listcommits works",
-			repourl: "https://gitlab.com/fdroid/fdroidclient",
-			commit:  "a4bbef5c70fd2ac7c15437a22ef0f9ef0b447d08",
-			depth:   20,
-		},
-	}
-
-	for _, tt := range tcs {
-		t.Run(tt.name, func(t *testing.T) {
-			repo, err := MakeGitlabRepo(tt.repourl)
-			if err != nil {
-				t.Error("couldn't make gitlab repo", err)
-			}
-
-			client, err := CreateGitlabClient(context.Background(), repo.Host())
-			if err != nil {
-				t.Error("couldn't make gitlab client", err)
-			}
-
-			err = client.InitRepo(repo, tt.commit, tt.depth)
-			if err != nil {
-				t.Error("couldn't init gitlab repo", err)
-			}
-
-			c, err := client.ListCommits()
-			if err != nil {
-				t.Error("couldn't list gitlab repo commits", err)
-			}
-			if len(c) == 0 {
-				t.Error("couldn't get any commits from gitlab repo")
-			}
-		})
-	}
-}
-
 func TestParsingEmail(t *testing.T) {
 	t.Parallel()
 

clients/gitlabrepo/contributors_test.go

@@ -15,66 +15,13 @@
 package gitlabrepo
 
 import (
-	"context"
-	"fmt"
 	"strconv"
-	"strings"
 	"sync"
 	"testing"
 
 	"github.com/xanzy/go-gitlab"
 )
 
-func Test_ContributorsSetup(t *testing.T) {
-	t.Parallel()
-	tcs := []struct {
-		name    string
-		repourl string
-		commit  string
-		depth   int
-	}{
-		{
-			name:    "check that Contributor works",
-			repourl: "https://gitlab.com/fdroid/fdroidclient",
-			commit:  "HEAD",
-			depth:   20,
-		},
-	}
-
-	for _, tt := range tcs {
-		t.Run(tt.name, func(t *testing.T) {
-			repo, err := MakeGitlabRepo(tt.repourl)
-			if err != nil {
-				t.Error("couldn't make gitlab repo", err)
-			}
-
-			client, err := CreateGitlabClientWithToken(context.Background(), "", repo.Host())
-			if err != nil {
-				t.Error("couldn't make gitlab client", err)
-			}
-
-			err = client.InitRepo(repo, tt.commit, tt.depth)
-			if err != nil {
-				t.Error("couldn't init gitlab repo",
-					err)
-			}
-
-			c, err := client.ListContributors()
-			// Authentication is failing when querying users, not sure yet how to get around that
-			if err != nil {
-				errMsg := fmt.Sprintf("%v", err)
-
-				if !(strings.Contains(errMsg, "error during Users.Get") && strings.Contains(errMsg, "401")) {
-					t.Error("couldn't list gitlab repo contributors", err)
-				}
-			}
-			if len(c) != 0 {
-				t.Error("couldn't get any contributors from gitlab repo")
-			}
-		})
-	}
-}
-
 func TestContributors(t *testing.T) {
 	t.Parallel()
 

e2e/code_review_test.go

@@ -126,6 +126,7 @@ var _ = Describe("E2E TEST:"+checks.CheckCodeReview, func() {
 	// GitLab doesn't seem to preserve merge requests (pull requests in github) and some users had data lost in
 	// the transfer from github so this returns a different value than the above GitHub test.
 	It("Should return use of code reviews at commit - GitLab", func() {
+		Skip("https://github.com/ossf/scorecard/issues/3193")
 		skipIfTokenIsNot(gitlabPATTokenType, "GitLab only")
 
 		dl := scut.TestDetailLogger{}
@@ -154,6 +155,7 @@ var _ = Describe("E2E TEST:"+checks.CheckCodeReview, func() {
 	// GitLab doesn't seem to preserve merge requests (pull requests in github) and some users had data lost in
 	// the transfer from github so this returns a different value than the above GitHub test.
 	It("Should return use of code reviews at HEAD - GitLab", func() {
+		Skip("https://github.com/ossf/scorecard/issues/3193")
 		skipIfTokenIsNot(gitlabPATTokenType, "GitLab only")
 
 		dl := scut.TestDetailLogger{}