From 70af98fa64f1a8cb32fccf5e3196462c09766cbb Mon Sep 17 00:00:00 2001 From: Matt Travi Date: Sun, 7 May 2023 09:54:57 -0500 Subject: [PATCH 1/2] :sparkles: Add packaging workflow for semantic-release Signed-off-by: Matt Travi --- checks/fileparser/github_workflow.go | 9 +++++++ checks/fileparser/github_workflow_test.go | 5 ++++ ...b-workflow-packaging-semantic-release.yaml | 24 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 checks/testdata/.github/workflows/github-workflow-packaging-semantic-release.yaml diff --git a/checks/fileparser/github_workflow.go b/checks/fileparser/github_workflow.go index 9461c250c98..96a2be94161 100644 --- a/checks/fileparser/github_workflow.go +++ b/checks/fileparser/github_workflow.go @@ -565,6 +565,15 @@ func IsPackagingWorkflow(workflow *actionlint.Workflow, fp string) (JobMatchResu }, LogText: "candidate container publishing workflow using ko", }, + { + // Commonly JavaScript packages, but supports multiple ecosystems + Steps: []*JobMatcherStep{ + { + Run: "npx.*semantic-release", + }, + }, + LogText: "candidate publishing workflow using semantic-release", + }, } return AnyJobsMatch(workflow, jobMatchers, fp, "not a publishing workflow") diff --git a/checks/fileparser/github_workflow_test.go b/checks/fileparser/github_workflow_test.go index 4702c80a626..6d132136ede 100644 --- a/checks/fileparser/github_workflow_test.go +++ b/checks/fileparser/github_workflow_test.go @@ -998,6 +998,11 @@ func TestIsPackagingWorkflow(t *testing.T) { filename: "../testdata/.github/workflows/github-workflow-packaging-cargo.yaml", expected: true, }, + { + name: "semantic-release publish", + filename: "../testdata/.github/workflows/github-workflow-packaging-semantic-release.yaml", + expected: true, + }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below diff --git a/checks/testdata/.github/workflows/github-workflow-packaging-semantic-release.yaml b/checks/testdata/.github/workflows/github-workflow-packaging-semantic-release.yaml new file mode 100644 index 00000000000..671f1a51f8a --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-packaging-semantic-release.yaml @@ -0,0 +1,24 @@ +# Copyright 2022 Security Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +jobs: + publish: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: semantic-release + run: npx -p @semantic-release/git semantic-release + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file From 3dc505045f4bb0946bbfb41c9ea807b104305c7f Mon Sep 17 00:00:00 2001 From: Matt Travi Date: Mon, 8 May 2023 22:11:04 -0500 Subject: [PATCH 2/2] Resolve indentation inconsistencies Signed-off-by: Matt Travi --- checks/fileparser/github_workflow.go | 18 +++++++++--------- checks/fileparser/github_workflow_test.go | 10 +++++----- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/checks/fileparser/github_workflow.go b/checks/fileparser/github_workflow.go index 96a2be94161..cc1622d0654 100644 --- a/checks/fileparser/github_workflow.go +++ b/checks/fileparser/github_workflow.go @@ -565,15 +565,15 @@ func IsPackagingWorkflow(workflow *actionlint.Workflow, fp string) (JobMatchResu }, LogText: "candidate container publishing workflow using ko", }, - { - // Commonly JavaScript packages, but supports multiple ecosystems - Steps: []*JobMatcherStep{ - { - Run: "npx.*semantic-release", - }, - }, - LogText: "candidate publishing workflow using semantic-release", - }, + { + // Commonly JavaScript packages, but supports multiple ecosystems + Steps: []*JobMatcherStep{ + { + Run: "npx.*semantic-release", + }, + }, + LogText: "candidate publishing workflow using semantic-release", + }, } return AnyJobsMatch(workflow, jobMatchers, fp, "not a publishing workflow") diff --git a/checks/fileparser/github_workflow_test.go b/checks/fileparser/github_workflow_test.go index 6d132136ede..cf2912e4fc2 100644 --- a/checks/fileparser/github_workflow_test.go +++ b/checks/fileparser/github_workflow_test.go @@ -998,11 +998,11 @@ func TestIsPackagingWorkflow(t *testing.T) { filename: "../testdata/.github/workflows/github-workflow-packaging-cargo.yaml", expected: true, }, - { - name: "semantic-release publish", - filename: "../testdata/.github/workflows/github-workflow-packaging-semantic-release.yaml", - expected: true, - }, + { + name: "semantic-release publish", + filename: "../testdata/.github/workflows/github-workflow-packaging-semantic-release.yaml", + expected: true, + }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below