You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
As a maintainer of semantic-release, I am also a heavy user. Since semantic-release is not detected as a packaging tool, both "Packaging" and "Token-Permissions" checks are impacted negatively, even though fully automated publishing workflows are implemented
Describe the solution you'd like
It would be great if semantic-release could be detected as a packaging tool and result in improved scores for the related checks
Describe alternatives you've considered https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#packaging mentions future improved querying of the npm registry, so waiting for that could cover a large amount of semantic-release usage. however, semantic-release is used for additional package ecosystems than npm, so this could involve waiting for support for each ecosystem registry to be supported. in addition, i imagine this would not account for "Token-Permissions"
I am not a Go developer, so I would need guidance in order to contribute the change myself. At minimum, I am interested in coordinating with members of our community to get this implemented or at least help clarify usage details around semantic-release.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
As a maintainer of semantic-release, I am also a heavy user. Since semantic-release is not detected as a packaging tool, both "Packaging" and "Token-Permissions" checks are impacted negatively, even though fully automated publishing workflows are implemented
Describe the solution you'd like
It would be great if semantic-release could be detected as a packaging tool and result in improved scores for the related checks
Describe alternatives you've considered
https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#packaging mentions future improved querying of the npm registry, so waiting for that could cover a large amount of semantic-release usage. however, semantic-release is used for additional package ecosystems than npm, so this could involve waiting for support for each ecosystem registry to be supported. in addition, i imagine this would not account for "Token-Permissions"
Additional context
I am not a Go developer, so I would need guidance in order to contribute the change myself. At minimum, I am interested in coordinating with members of our community to get this implemented or at least help clarify usage details around semantic-release.
The text was updated successfully, but these errors were encountered: