Skip to content

Commit

Permalink
Merge branch 'main' into look-for-sign
Browse files Browse the repository at this point in the history
  • Loading branch information
naveensrinivasan authored Nov 20, 2021
2 parents 6e9db1d + 10ee2c0 commit c32a2f4
Show file tree
Hide file tree
Showing 7 changed files with 33 additions and 96 deletions.
101 changes: 13 additions & 88 deletions .github/workflows/integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,71 +12,34 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Run secret-dependent integration tests only after /ok-to-test approval
on:
pull_request:
repository_dispatch:
types: [ok-to-test-command]

# Run secret-dependent integration tests only after approval
name: Integration tests
env:
IMAGE_NAME: scorecard
OUTPUT_PATH: output
on: pull_request_target

permissions:
contents: read
pull-requests: write

jobs:
integration-trusted:
approve:
runs-on: ubuntu-latest
steps:
- id: debug-outputs
run: |
echo ${{ github.event_name }}
echo ${{ github.event.client_payload }}
- id: verify-sha-input
if: github.event_name == 'repository_dispatch'
run: |
echo \"${{ github.event.client_payload.pull_request.head.sha }}\"
echo \"${{ github.event.client_payload.slash_command.args.named.sha }}\"
SHAINPUT=$(echo ${{github.event.client_payload.slash_command.args.named.sha}} | cut -c1-7)
if [ ${#SHAINPUT} -le 6 ]; then echo "error::input sha not at least 7 characters long" ; exit 1
else echo "done"
fi
SHAHEAD=$(echo ${{github.event.client_payload.pull_request.head.sha}} | cut -c1-7)
echo ${#SHAINPUT}
echo ${#SHAHEAD}
if [ "${SHAHEAD}" != "${SHAINPUT}" ]; then echo "sha input from slash command does not equal the head sha" ; exit 1
else echo "shas are equal"
fi
- name: pull_request actions/checkout
if: github.event_name == 'pull_request'
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
- name: approve
run: echo For security reasons, all pull requests need to be approved before running integration tests.

integration-trusted:
runs-on: ubuntu-latest
environment: integration-test
needs: [approve]
steps:
- name: pull_request actions/checkout
if: github.event_name == 'repository_dispatch'
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
with:
ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

- name: setup-go
uses: actions/setup-go@331ce1d993939866bb63c32c6cbbfd48fa76fc57 # v2.1.3
with:
go-version: '1.17'

- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@daadedc81d5f9d3c06d2c92f49202a3cc2b919ba # v0.2.1
with:
project_id: ${{ secrets.GCP_PROJECT_ID }}
service_account_key: ${{ secrets.GCRTOKEN }}
export_default_credentials: true

- name: Use gcloud CLI
run: gcloud info

- name: Prepare test env
run: |
go mod download
Expand All @@ -89,7 +52,6 @@ jobs:
make ci-e2e
- name: find comment
if: ${{ always() }}
uses: peter-evans/find-comment@d2dae40ed151c634e4189471272b57e76ec19ba8 # v1.2.0
id: fc
with:
Expand All @@ -98,48 +60,11 @@ jobs:
body-includes: Integration tests ran for

- name: create or update comment
if: (${{ always() }})
uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5
with:
issue-number: ${{ github.event.pull_request.number || github.event.client_payload.pull_request.number }}
comment-id: ${{ steps.fc.outputs.comment-id }}
body: |
Integration tests ${{ job.status }} for [${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}](https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
- name: set fork job status
uses: actions/github-script@441359b1a30438de65712c2fbca0abe4816fa667 # v5.0.0
if: ${{ always() }}
id: update-check-run
env:
number: ${{ github.event.client_payload.pull_request.number }}
job: ${{ github.job }}
# Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
conclusion: ${{ job.status }}
sha: ${{ github.event.client_payload.slash_command.args.named.sha }}
event_name: ${{ github.event_name }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
if (process.env.event_name !== 'repository_dispatch') {
console.log("Not repository_dispatch... nothing to do!");
return process.env.event_name;
}
const ref = process.env.sha;
const { data: checks } = await github.checks.listForRef({
...context.repo,
ref
});
const check = checks.check_runs.filter(c => c.name === process.env.job);
console.log(check);
const { data: result } = await github.checks.update({
...context.repo,
check_run_id: check[0].id,
status: 'completed',
conclusion: process.env.conclusion
});
return result;
Integration tests ${{ job.status }} for
[${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}]
(https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
9 changes: 9 additions & 0 deletions clients/cii_blob_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,15 @@ func (client *blobClientCIIBestPractices) GetBadgeLevel(ctx context.Context, uri
defer bucket.Close()

objectName := fmt.Sprintf("%s/result.json", uri)

exists, err := bucket.Exists(ctx, objectName)
if err != nil {
return Unknown, fmt.Errorf("error during bucket.Exists: %w", err)
}
if !exists {
return NotFound, nil
}

jsonData, err := bucket.ReadAll(ctx, objectName)
if err != nil {
return Unknown, fmt.Errorf("error during bucket.ReadAll: %w", err)
Expand Down
2 changes: 1 addition & 1 deletion cron/k8s/cii.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ metadata:
name: scorecard-cii-worker
spec:
# At 00:00UTC on 1st of every month.
schedule: "@monthly"
schedule: "0 20 * * 0"
concurrencyPolicy: "Forbid"
jobTemplate:
spec:
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ replace (
github.com/gorilla/handlers => github.com/gorilla/handlers v1.3.0
// https://github.com/miekg/dns/issues/1037
github.com/miekg/dns => github.com/miekg/dns v1.1.25-0.20191211073109-8ebf2e419df7
//https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
// This replace is for https://nvd.nist.gov/vuln/detail/CVE-2021-3538
github.com/satori/go.uuid => github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102
// This replace is for https://github.com/advisories/GHSA-25xm-hr59-7c27
Expand Down
5 changes: 2 additions & 3 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1048,9 +1048,8 @@ github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQ
github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v1.0.0-rc10/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
Expand Down
2 changes: 1 addition & 1 deletion tools/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -182,4 +182,4 @@ require (
)

// https://github.com/advisories/GHSA-c2h3-6mxw-7mvq
replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.7
replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.8
8 changes: 5 additions & 3 deletions tools/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ github.com/Microsoft/go-winio v0.5.0 h1:Elr9Wn+sGKPlkaBvwu4mTrxtmOp3F3yV9qhaHbXG
github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OpenPeeDeeP/depguard v1.0.1 h1:VlW4R6jmBIv3/u1JNlawEvJMM4J+dPORPaZasQee8Us=
Expand Down Expand Up @@ -134,6 +134,7 @@ github.com/bmatcuk/doublestar/v4 v4.0.2/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTS
github.com/bombsimon/wsl/v3 v3.3.0 h1:Mka/+kRLoQJq7g2rggtgQsjuI/K5Efd87WX96EWFxjM=
github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
Expand Down Expand Up @@ -162,8 +163,8 @@ github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTF
github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
github.com/containerd/containerd v1.5.7 h1:rQyoYtj4KddB3bxG6SAqd4+08gePNyJjRqvOIfV3rkM=
github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
github.com/containerd/containerd v1.5.8 h1:NmkCC1/QxyZFBny8JogwLpOy2f+VEbO/f6bV2Mqtwuw=
github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ=
github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
Expand All @@ -176,6 +177,7 @@ github.com/containerd/stargz-snapshotter/estargz v0.7.0/go.mod h1:83VWDqHnurTKli
github.com/containerd/stargz-snapshotter/estargz v0.8.0 h1:oA1wx8kTFfImfsT5bScbrZd8gK+WtQnn15q82Djvm0Y=
github.com/containerd/stargz-snapshotter/estargz v0.8.0/go.mod h1:mwIwuwb+D8FX2t45Trwi0hmWmZm5VW7zPP/rekwhWQU=
github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
Expand Down

0 comments on commit c32a2f4

Please sign in to comment.