Skip to content

Commit

Permalink
Merge branch 'main' into perm-docs
Browse files Browse the repository at this point in the history
  • Loading branch information
laurentsimon authored Feb 25, 2022
2 parents e346208 + 4c82c29 commit 83b8194
Show file tree
Hide file tree
Showing 26 changed files with 1,068 additions and 744 deletions.
2 changes: 2 additions & 0 deletions .codecov.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ codecov:
after_n_builds: 1
require_ci_to_pass: yes

ignore:
- "cron/**/*"
coverage:
precision: 2
round: down
Expand Down
43 changes: 35 additions & 8 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,48 @@
* **Please check if the PR fulfills these requirements**
- [ ] Tests for the changes have been added (for bug fixes / features)
- [ ] PR title follows the guidelines defined in https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#pr-process
#### What kind of change does this PR introduce?

* **What kind of change does this PR introduce?** (Bug fix, feature, docs update, ...)
(Is it a bug fix, feature, docs update, something else?)

- [ ] PR title follows the guidelines defined in our [pull request documentation](https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#pr-process)

#### What is the current behavior?

* **What is the current behavior?** (You can also link to an open issue here)
#### What is the new behavior (if this is a feature change)?**

- [ ] Tests for the changes have been added (for bug fixes/features)

#### Which issue(s) this PR fixes

* **What is the new behavior (if this is a feature change)?**
<!--
*Automatically closes linked issue when PR is merged.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
Fixes #
or
* **Does this PR introduce a breaking change?** (What changes might users need to make in their application due to this PR?)
NONE
-->

#### Special notes for your reviewer

#### Does this PR introduce a user-facing change?

* **Other information**:
For user-facing changes, please add a concise, human-readable release note to
the `release-note`

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

<!--
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below.
If the PR requires additional action from users switching to the new release,
include the string "ACTION REQUIRED".
For more information on release notes see: https://git.k8s.io/release/cmd/release-notes/README.md
-->

```release-note
```
8 changes: 7 additions & 1 deletion .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,13 @@
# limitations under the License.

name: build
on: [push, pull_request]
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
unit-test:
name: unit-test
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@ jobs:
repo_token: ${{ secrets.GITHUB_TOKEN }}
# Scorecard team runs a weekly scan of public GitHub repos,
# see https://github.com/ossf/scorecard#public-data.
# Setting `share_results: true` helps us scale by leveraging your workflow to
# Setting `publish_results: true` helps us scale by leveraging your workflow to
# extract the results instead of relying on our own infrastructure to run scans.
# And it's free for you!
share_results: true
publish_results: true

# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
# Optional.
Expand Down
28 changes: 21 additions & 7 deletions checks/dangerous_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,23 +98,37 @@ func DangerousWorkflow(c *checker.CheckRequest) checker.CheckResult {
data := patternCbData{
workflowPattern: make(map[dangerousResults]bool),
}
err := fileparser.CheckFilesContent(".github/workflows/*", false,
c, validateGitHubActionWorkflowPatterns, &data)
err := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{
Pattern: ".github/workflows/*",
CaseSensitive: false,
},
validateGitHubActionWorkflowPatterns, c.Dlogger, &data)
return createResultForDangerousWorkflowPatterns(data, err)
}

// Check file content.
func validateGitHubActionWorkflowPatterns(path string, content []byte, dl checker.DetailLogger,
data fileparser.FileCbData) (bool, error) {
var validateGitHubActionWorkflowPatterns fileparser.DoWhileTrueOnFileContent = func(path string,
content []byte,
args ...interface{}) (bool, error) {
if !fileparser.IsWorkflowFile(path) {
return true, nil
}

if len(args) != 2 {
return false, fmt.Errorf(
"validateGitHubActionWorkflowPatterns requires exactly 2 arguments: %w", errInvalidArgLength)
}

// Verify the type of the data.
pdata, ok := data.(*patternCbData)
pdata, ok := args[1].(*patternCbData)
if !ok {
return false, fmt.Errorf(
"validateGitHubActionWorkflowPatterns expects arg[0] of type *patternCbData: %w", errInvalidArgType)
}
dl, ok := args[0].(checker.DetailLogger)
if !ok {
// This never happens.
panic("invalid type")
return false, fmt.Errorf(
"validateGitHubActionWorkflowPatterns expects arg[1] of type checker.DetailLogger: %w", errInvalidArgType)
}

if !fileparser.CheckFileContainsCommands(content, "#") {
Expand Down
10 changes: 3 additions & 7 deletions checks/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,12 @@ import (
"errors"
)

//nolint
var (
errInternalInvalidDockerFile = errors.New("invalid Dockerfile")
errInternalInvalidYamlFile = errors.New("invalid yaml file")
errInternalFilenameMatch = errors.New("filename match error")
errInternalEmptyFile = errors.New("empty file")
errInvalidGitHubWorkflow = errors.New("invalid GitHub workflow")
errInternalNoReviews = errors.New("no reviews found")
errInternalNoCommits = errors.New("no commits found")
errInternalInvalidPermissions = errors.New("invalid permissions")
errInternalNameCannotBeEmpty = errors.New("name cannot be empty")
errInternalCheckFuncCannotBeNil = errors.New("checkFunc cannot be nil")
// TODO(#1245): these should be moved under `raw` package after migration.
errInvalidArgType = errors.New("invalid arg type")
errInvalidArgLength = errors.New("invalid arg length")
)
32 changes: 30 additions & 2 deletions checks/fileparser/github_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -330,8 +330,36 @@ type JobMatcherStep struct {
Run string
}

// Matches returns true if the job matches the job matcher.
func (m *JobMatcher) Matches(job *actionlint.Job) bool {
// AnyJobsMatch returns true if any of the jobs have a match in the given workflow.
func AnyJobsMatch(workflow *actionlint.Workflow, jobMatchers []JobMatcher, fp string, dl checker.DetailLogger,
logMsgNoMatch string) bool {
for _, job := range workflow.Jobs {
for _, matcher := range jobMatchers {
if !matcher.matches(job) {
continue
}

dl.Info(&checker.LogMessage{
Path: fp,
Type: checker.FileTypeSource,
Offset: GetLineNumber(job.Pos),
Text: matcher.LogText,
})
return true
}
}

dl.Debug(&checker.LogMessage{
Path: fp,
Type: checker.FileTypeSource,
Offset: checker.OffsetDefault,
Text: logMsgNoMatch,
})
return false
}

// matches returns true if the job matches the job matcher.
func (m *JobMatcher) matches(job *actionlint.Job) bool {
for _, stepToMatch := range m.Steps {
hasMatch := false
for _, step := range job.Steps {
Expand Down
Loading

0 comments on commit 83b8194

Please sign in to comment.