-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛Signed-Releases: really look for *.sign files #1298
Conversation
With this patch applied projects like dracut pass the check: ``` "checks": [ { "details": [ "Debug: GitHub release found: 055", "Info: signed release artifact: dracut-055.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/37635937", "Debug: GitHub release found: 054", "Info: signed release artifact: dracut-054.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/36958052", "Debug: GitHub release found: 053", "Info: signed release artifact: dracut-053.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32484038", "Debug: GitHub release found: 052", "Info: signed release artifact: dracut-052.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32130796", "Debug: GitHub release found: 051", "Info: signed release artifact: dracut-051.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/31933850" ], "score": 10, "reason": "5 out of 5 artifacts are signed -- score normalized to 10", "name": "Signed-Releases", ```
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Head branch was pushed to by a user without write access
@laurentsimon the PR was out of date with the main branch so I rebased and pushed it once again disabling "auto-merge" along the way. I also updated the commit message to make it pass the "description" check. Could you take a look? |
the integration tests are failing, we need to fix it upstream so the PR is blocked atm. |
Just out of curiosity, is that "out-of-date" check I see every time the scorecard repository gets updated turned on via the "strict" status check mentioned at https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging? It seems to be too annoying at least in projects receiving a lot of PRs so I'm not sure |
I mean, it's probably OK to enforce it when all contributors work at the same company for example and have to follow this policy but it's just strange to enforce it on external contributors. |
Just to clarify, I've opened 3 PRs and as far as I understand basically I'll have to rebase and push all of them one way or another once the integration test is fixed. Personally I think it's a waste of time given there are no any merge conflicts there and I certainly wouldn't want to waste other people's time with this strict check unless I was ready to rebase PRs like that myself (which I'm definitely not :-)) |
Integration tests success for |
Integration tests success for |
@@ -28,7 +28,7 @@ const ( | |||
releaseLookBack = 5 | |||
) | |||
|
|||
var artifactExtensions = []string{".asc", ".minisig", ".sig"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Var
No description provided.