-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Add GitHub committer verification #1695
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1695 +/- ##
==========================================
+ Coverage 58.39% 61.76% +3.37%
==========================================
Files 58 58
Lines 5910 5940 +30
==========================================
+ Hits 3451 3669 +218
+ Misses 2219 2026 -193
- Partials 240 245 +5 |
Integration tests success for |
Integration tests success for |
Integration tests success for |
} else if commit.Committer.Name != nil && | ||
// Username "GitHub" may indicate the commit was committed by GitHub. | ||
// We verify that the commit is signed by GitHub, because the name can be spoofed. | ||
*commit.Committer.Name == "GitHub" && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason we want to check committer.name
if we already have wasSignedByGitHub
bool?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just to verify our assumptions that the name should be "GitHub". Not exactly needed, agreed.
// TODO(#1543): Figure out a way to safely get committer if `User.Login` is `nil`. | ||
|
||
if committer == "" { | ||
return ret, fmt.Errorf("commit %s: %w", commit.Oid, errorInvalidCommitterLogin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not leave committer
as nil
if this is the case? This might cause a lot of errors in the cron job.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's try to see what happens in the integration tests before using this code for the weekly cron. It'd be great to be able to report the committer's login reliably.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so I'll keep code as-is. Hope this does not backfire
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm running with the latest main code, and I think this is causing an error for me:
$ ./scorecard --repo=dart-lang/sdk --checks=Fuzzing
Starting [Fuzzing]
2022/03/03 19:26:00 internal error: ListCommits:error during graphqlHandler.setup: commit d3e36fab5eb55706a36144fe41abc2546ffa0b55: cannot retrieve committer login
panic: internal error: ListCommits:error during graphqlHandler.setup: commit d3e36fab5eb55706a36144fe41abc2546ffa0b55: cannot retrieve committer login
goroutine 1 [running]:
log.Panic({0xc000667ab8, 0xc0002be1c0, 0x100df38})
log/log.go:354 +0x65
github.com/ossf/scorecard/v4/cmd.rootCmd(0xc000470000)
github.com/ossf/scorecard/v4/cmd/root.go:138 +0x751
github.com/ossf/scorecard/v4/cmd.New.func2(0xc000421680, {0xe9e91a, 0x2, 0x2})
github.com/ossf/scorecard/v4/cmd/root.go:62 +0x1d
github.com/spf13/cobra.(*Command).execute(0xc000421680, {0xc0000a8160, 0x2, 0x2})
github.com/spf13/[email protected]/command.go:860 +0x5f8
github.com/spf13/cobra.(*Command).ExecuteC(0xc000421680)
github.com/spf13/[email protected]/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/[email protected]/command.go:902
main.main()
github.com/ossf/scorecard/v4/main.go:27 +0x25
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created #1710
clients/githubrepo/graphql.go
Outdated
associatedPR.Reviews = append(associatedPR.Reviews, clients.Review{ | ||
State: string(review.State), | ||
State: string(review.State), | ||
Author: &author, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: remove the author
var and create the struct here directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
author is a pointer, I don't think you can assign a temporary pointer directly. If the compiler does not complain, I'll do that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And I was wrong, below seem to work just fine!
Author: &clients.User{
Login: string(review.Author.Login),
},
18f0677
to
ef812a3
Compare
ef812a3
to
844ca45
Compare
Integration tests success for |
Integration tests success for |
Integration tests success for |
PR verifies the commit's signature when the committer's name is "GitHub" and the committer's login for a merged PR is
""
.See #1543 for more details
In addition, it fixes reviewer names that were not populated( I caught this problem when using
--format raw
)closes #1543