Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Forgive job-level permissions #3162

Merged
merged 12 commits into from
Jul 14, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Jun 13, 2023

What kind of change does this PR introduce?

Job-level write permissions are no longer penalized.

What is the current behavior?

Currently, high-risk permissions (contents/packages/actions: write) are not penalized when set at job-level. However, low-risk permissions (everything else) are penalized wherever they appear (top- or job-level).

What is the new behavior (if this is a feature change)?**

As per the discussion in #2338, all permissions are allowed if set at job-level.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #3045

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Job-level permissions are no longer penalized.

pnacht added 3 commits June 13, 2023 13:41
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@pnacht pnacht temporarily deployed to integration-test June 13, 2023 13:54 — with GitHub Actions Inactive
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

  1. Can you update the documentation along with this scoring change?
  2. Linter is complaining about dead code, so permissionIsPresent will need removed.
  3. Can we add a test to evaluate "job level write permissions not penalized" or something like that? Something that has:
    permissions:
      statuses: write
      checks: write
      security-events: write
      deployments: write
      contents: write
      packages: write
      actions: write

checks/permissions_test.go Show resolved Hide resolved
pnacht added 4 commits June 14, 2023 20:51
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@pnacht pnacht temporarily deployed to integration-test June 14, 2023 20:56 — with GitHub Actions Inactive
@pnacht
Copy link
Contributor Author

pnacht commented Jun 14, 2023

Done!

@codecov
Copy link

codecov bot commented Jun 14, 2023

Codecov Report

Merging #3162 (a68162e) into main (96b2169) will decrease coverage by 6.10%.
The diff coverage is 100.00%.

❗ Current head a68162e differs from pull request most recent head 59d9429. Consider uploading reports for the commit 59d9429 to get more accurate results

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3162      +/-   ##
==========================================
- Coverage   71.77%   65.67%   -6.10%     
==========================================
  Files         168      170       +2     
  Lines       12907    12860      -47     
==========================================
- Hits         9264     8446     -818     
- Misses       3122     3957     +835     
+ Partials      521      457      -64     

@Gby56
Copy link

Gby56 commented Jun 22, 2023

Thanks a lot for this, noticed the bug/noise today, definitely the checks: write is a chicken and egg scenario, maybe if the granularity was at a step-level we could consider it, but for the whole job, that's too much.

Maybe this should be brought to Github's attention, the fundamental problem is that the action is reporting itself the check OK or not OK, so we give it the token with the permission, meaning a malicious actor could force all checks to be OK and merge ? Shouldn't the runner or some wrapper around that, check the step/job final output and decide on the check status ?

@github-actions
Copy link

github-actions bot commented Jul 3, 2023

Stale pull request message

@pnacht
Copy link
Contributor Author

pnacht commented Jul 4, 2023

@spencerschrock, is there anything else I can do on this PR? The failed test doesn't seem related, as far as I can tell.

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@pnacht pnacht temporarily deployed to integration-test July 6, 2023 15:49 — with GitHub Actions Inactive
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Just one final documentation bit I missed before.

docs/checks/internal/checks.yaml Outdated Show resolved Hide resolved
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@pnacht pnacht temporarily deployed to integration-test July 10, 2023 18:24 — with GitHub Actions Inactive
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@pnacht pnacht temporarily deployed to integration-test July 13, 2023 19:30 — with GitHub Actions Inactive
@spencerschrock spencerschrock enabled auto-merge (squash) July 14, 2023 00:23
@spencerschrock spencerschrock temporarily deployed to integration-test July 14, 2023 00:23 — with GitHub Actions Inactive
@spencerschrock spencerschrock merged commit fc87616 into ossf:main Jul 14, 2023
andrelmbackman pushed a commit to nokia/scorecard that referenced this pull request Jul 26, 2023
* Forgive all job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update tests

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Replace magic number

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Rename test

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Test that multiple job-level permissions are forgiven

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Drop unused permissionIsPresent

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update documentation

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Modify score descriptions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Document warning for job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* List job-level permissions that get WARNed

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: André Backman <[email protected]>
ashearin pushed a commit to kgangerlm/scorecard-gitlab that referenced this pull request Nov 13, 2023
* Forgive all job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update tests

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Replace magic number

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Rename test

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Test that multiple job-level permissions are forgiven

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Drop unused permissionIsPresent

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update documentation

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Modify score descriptions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Document warning for job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* List job-level permissions that get WARNed

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
raghavkaul added a commit that referenced this pull request Jan 26, 2024
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.18.2...v1.19.1)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* begin implementing probe: minTwoCodeReviewers

Signed-off-by: André Backman <[email protected]>

* print raw results

Signed-off-by: André Backman <[email protected]>

* print raw results

Signed-off-by: André Backman <[email protected]>

* print raw results

Signed-off-by: André Backman <[email protected]>

* rename probe directory: minimumCodeReviewers

Signed-off-by: André Backman <[email protected]>

* rename probe CodeReviewers

Signed-off-by: André Backman <[email protected]>

* rename import for CodeReviewers probe

Signed-off-by: André Backman <[email protected]>

* update code reviewers definition

Signed-off-by: André Backman <[email protected]>

* update code reviewers implementation; fixed embed FS usage

Signed-off-by: André Backman <[email protected]>

* printing all findings, work out where to concatenate them

Signed-off-by: André Backman <[email protected]>

* concatenated findings to one single finding, outcome is based on the least found unique reviewers

Signed-off-by: André Backman <[email protected]>

* refactored uniqueCodeReviewers probe, needs more error checks

Signed-off-by: André Backman <[email protected]>

* add error handling for cases of non-existant author and/or reviewer logins

Signed-off-by: André Backman <[email protected]>

* add error handling for cases of non-existant author and/or reviewer logins

Signed-off-by: André Backman <[email protected]>

* rename probe

Signed-off-by: André Backman <[email protected]>

* update codeReviewTwoReviewers definition

Signed-off-by: André Backman <[email protected]>

* rename unique code reviewers probe

Signed-off-by: André Backman <[email protected]>

* implement codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* update codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* working version of codeApproved probe

Signed-off-by: André Backman <[email protected]>

* codeReviewed probe implemented

Signed-off-by: André Backman <[email protected]>

* clean up comments, add imports, run all probes

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>

* Update impl.go license

Signed-off-by: André Backman <[email protected]>

* Update impl.go license to Apache 2

Signed-off-by: André Backman <[email protected]>

* Update impl.go license to Apache 2

Signed-off-by: André Backman <[email protected]>

* Update code_review.go license

Signed-off-by: André Backman <[email protected]>

* Update entries.go; CodeReviewChecks now called CodeReview

Signed-off-by: André Backman <[email protected]>

* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <[email protected]>

* Delete code_review.go utilities

moved utility functions to the impl.go they are used in

Signed-off-by: André Backman <[email protected]>

* rename probe

Signed-off-by: André Backman <[email protected]>

* update codeReviewTwoReviewers definition

Signed-off-by: André Backman <[email protected]>

* implement codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* update codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* working version of codeApproved probe

Signed-off-by: André Backman <[email protected]>

* codeReviewed probe implemented

Signed-off-by: André Backman <[email protected]>

* clean up comments, add imports, run all probes

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* 🌱 Included unit tests (#3242)

- Included unit tests

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243)

Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](golang/oauth2@v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 📖 Update Branch-Protection admin and non-admin requirements (#2772)

* docs: Branch protection admin-only requirements

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Branch protection requirements by tier

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: How get a perfect score in branch protection

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix local images ref in doc

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix typo

Co-authored-by: Pedro Nacht <[email protected]>
Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix check specific table of contents

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Code owners setting is non admin

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix branch protection applied not only to main branch

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Add alt text for images

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: You can get a perfect score with non admin access

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: update max tier scores

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: update tier 1 max points explanation

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Move changes to internal checks doc

Move changes done in docs/checks.md to docs/checks/internal/checks.yaml.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Revert changes on checks doc

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix admin settings evaluated on branch protection

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Change branch protection model status checks

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Change tiers score to expected score

The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix Tier 3 score

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Co-authored-by: Pedro Nacht <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Linter workflow cleanup (#3247)

* Fix linter timeout by renaming deprecated deadline.

Signed-off-by: Spencer Schrock <[email protected]>

* Disable depguard linter.

As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter.

Signed-off-by: Spencer Schrock <[email protected]>

* Move linter into own workflow.

Signed-off-by: Spencer Schrock <[email protected]>

* Fix bash command substitution.

Signed-off-by: Spencer Schrock <[email protected]>

* Add harden runner.

Signed-off-by: Spencer Schrock <[email protected]>

* switch names to existing linter job

Signed-off-by: Spencer Schrock <[email protected]>

* Update golangci-lint to v1.53.3

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@54849de...87e23c4)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3252)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.19.1...v1.19.2)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve rate limit handling in roundtripper (#3237)

- Add rate limit testing and handling functionality
- Add tests for successful response and Retry-After header set scenarios

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (#3259)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@87e23c4...1f20fb8)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (#3260)

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](bradleyfalzon/ghinstallation@v2.5.0...v2.6.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (#3248)

* add urls for opentelemetry and micrometer

Signed-off-by: Ajmal Kottilingal <[email protected]>

* add jakarta-activation url

Signed-off-by: Ajmal Kottilingal <[email protected]>

* adding json-path

Signed-off-by: Ajmal Kottilingal <[email protected]>

* fix uing make

Signed-off-by: Ajmal Kottilingal <[email protected]>

---------

Signed-off-by: Ajmal Kottilingal <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛  Add npm installs to Pinned-Dependencies score (#2960)

* feat: Add npm install to pinned dependencies score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix pinned dependencies evaluation tests

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix pinned dependencies e2e tests

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned".

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix typo

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Unpinned npm install score

When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Undefined npm install score

When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix typo

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "validate various warnings and info" test

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: npm dependencies pinned log

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Remove test of error when parsing an npm dependency

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (#3264)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.11.6...v0.12.0)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* Ack linter warning and add tracking issue. (#3263)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛 Forgive job-level permissions (#3162)

* Forgive all job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update tests

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Replace magic number

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Rename test

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Test that multiple job-level permissions are forgiven

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Drop unused permissionIsPresent

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update documentation

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Modify score descriptions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Document warning for job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* List job-level permissions that get WARNed

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛 Fix typo (#3267)

Signed-off-by: Eugene Kliuchnikov <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 📖  Suggest new score viewer on badge documentation (#3268)

* docs(readme): suggest new score viewer on badge documentation

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

* docs(readme): add link to ossf blogpost about the badge

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

* docs: update badge of our own README to the new viewer

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

---------

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (#3266)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@1f20fb8...2a968ff)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Update the cover profile for e2e (#3271)

- Update the cover profile for e2e

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve e2e workflow tests (#3273)

- Add e2e test for workflow runs
- Retrieve successful runs of the scorecard-analysis.yml workflow

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Excluded dependabot from codecov (#3272)

- Exclude dependabot from codecov job in main.yml

[.github/workflows/main.yml]
- Exclude dependabot from codecov job

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Increase test coverage for searching commits (#3276)

- Add an e2e test for searching commits by author
- Search commits by author `dependabot[bot]` and expect results

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛 Fix Branch-Protection scoring (#3251)

* fix: Verify if branch is required to be up to date before merge

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Comment tracking GraphQL bug

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Add validation if pointers are not null before accessing the values

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Delete debug log file

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: André Backman <[email protected]>

* ✨ scdiff: generate cmd skeleton (#3275)

* add scdiff root command

Signed-off-by: Spencer Schrock <[email protected]>

* Add generate boilerplate.

Signed-off-by: Spencer Schrock <[email protected]>

* get rid of init

Signed-off-by: Spencer Schrock <[email protected]>

* read newline delimitted repo file

Signed-off-by: Spencer Schrock <[email protected]>

* Run scorecard and echo results.

Signed-off-by: Spencer Schrock <[email protected]>

* add license

Signed-off-by: Spencer Schrock <[email protected]>

* add basic runner tests.

Signed-off-by: Spencer Schrock <[email protected]>

* Add Runner comment.

Signed-off-by: Spencer Schrock <[email protected]>

* switch to using scorecard logger.

Signed-off-by: Spencer Schrock <[email protected]>

* linter fix

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Delete unused project-update functionality. (#3269)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (#3280)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@2a968ff...3928317)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (#3281)

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.3.5...v1.3.6)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (#3284)

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](google/go-cloud@v0.30.0...v0.32.0)

---
updated-dependencies:
- dependency-name: gocloud.dev
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Include attestor Dockerfile in CI and dependabot updates (#3285)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@3928317...de0eba3)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump google-appengine/debian11 in /attestor

Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`.

---
updated-dependencies:
- dependency-name: google-appengine/debian11
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.86.0...v0.88.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Use a matrix for docker image building (#3290)

* working matrix.

Signed-off-by: Spencer Schrock <[email protected]>

* Remove unneeded env vars. Add comments.

Signed-off-by: Spencer Schrock <[email protected]>

* minor syntax change.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve e2e workflow tests (#3282)

- Ensure that only head queries are supported in workflow tests
- Add a test to detect when a non-existent workflow file is used

[e2e/workflow_test.go]
- Add a test to check that only head queries are supported
- Add a test to check that a non-existent workflow file returns an error

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Use a matrix for when building binaries in main.yml (#3291)

* Use matrix for build jobs.

Signed-off-by: Spencer Schrock <[email protected]>

* These build targets dont seem to need protoc.

This lets us save the API quota.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Fix hanging docker jobs for doc only changes. (#3292)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 📖 Add contributor ladder (#3246)

* Add contributor ladder

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Clarify sponsorship

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Hope for retirement warning

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* 1 maintainer can sponsor a community member

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Apply suggestions from code review

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: Pedro Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Pedro Nacht <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Consolidate GitLab e2e workflows. (#3278)

* Move gitlab to different workflow to parallelize.

Signed-off-by: Spencer Schrock <[email protected]>

* Add missing versions.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Add separate cache for long-running tests (#3293)

* Add separate cache for unit tests.

Signed-off-by: Spencer Schrock <[email protected]>

* share cache with gitlab tests too.

Signed-off-by: Spencer Schrock <[email protected]>

* share cache with github integration tests.

Signed-off-by: Spencer Schrock <[email protected]>

* explicitly download modules in unit test job

Signed-off-by: Spencer Schrock <[email protected]>

* checkout needs to be before the go.mod is read.

Signed-off-by: Spencer Schrock <[email protected]>

* checkout needs to be before the go.sum files are hashed.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#3297)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.7.0...v5.8.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (#3298)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.27.8...v1.27.9)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve search commit e2e tests (#3295)

- Add 2 tests for searching commits in e2e/searchCommits_test.go
- Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist

[e2e/searchCommits_test.go]
- Add 2 tests for searching commits
- Fix error when not using HEAD
- Fix error when user does not exist

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 📖  update docs for webhooks documentation (#3299)

* update docs for webhooks documentation

Signed-off-by: leec94 <[email protected]>

* change webhook severity in readme

Signed-off-by: leec94 <[email protected]>

---------

Signed-off-by: leec94 <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Unit tests OSSFuzz client (#3301)

* 🌱 Unit tests OSSFuzz client

- Included tests for  IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages,

Signed-off-by: naveensrinivasan <[email protected]>

* Improve OSSFuzz client tests

[clients/ossfuzz/client_test.go]
- Add a test for the `GetCreatedAt` method
- Fix the `URI` method to return the correct value

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Ensure check markdown is kept in sync with source yaml. (#3300)

* Ensure check markdown is kept in sync with check yaml.

Signed-off-by: Spencer Schrock <[email protected]>

* change generate-docs target to detect changes to docs/checks.md directly.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update code_review.go license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update entries.go; CodeReviewChecks now called CodeReview

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <[email protected]>

* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <[email protected]>

* Update go.mod, aligned imports

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* change EOL = CRLF to LF

Signed-off-by: André Backman <[email protected]>

* add error handling in case of no changesets

Signed-off-by: André Backman <[email protected]>

* completed tests for code-review probes

Signed-off-by: André Backman <[email protected]>

* update codeReview probes and utils

Signed-off-by: André Backman <[email protected]>

* fixed some lint errors, check for more

Signed-off-by: André Backman <[email protected]>

* fixed lint issues

Signed-off-by: André Backman <[email protected]>

* fix lint errors

Signed-off-by: André Backman <[email protected]>

* add test for multiple reviews with only one unique reviewer

Signed-off-by: André Backman <[email protected]>

* simplify func uniqueReviewers, use map[string]bool

Signed-off-by: André Backman <[email protected]>

* fix linting error

Signed-off-by: André Backman <[email protected]>

* moved probe tests to their own function

Signed-off-by: André Backman <[email protected]>

* fix comment syntax

Signed-off-by: André Backman <[email protected]>

* gci-ed files to fix linter errors

Signed-off-by: André Backman <[email protected]>

* implement change to skip bot-authored changesets that are reviewed/approved

Signed-off-by: André Backman <[email protected]>

* rewrite finding message

Signed-off-by: André Backman <[email protected]>

* fix output message; do not count the number of approved bot-authored changesets

Signed-off-by: André Backman <[email protected]>

* fix typos

Signed-off-by: André Backman <[email protected]>

* moved probe tests to their corresponding location

Signed-off-by: André Backman <[email protected]>

* removed redundant probe codeReviewed

Signed-off-by: André Backman <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeReviewOneReviewers/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Lint

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>
Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Ajmal Kottilingal <[email protected]>
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Eugene Kliuchnikov <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: Pedro Nacht <[email protected]>
Signed-off-by: leec94 <[email protected]>
Signed-off-by: André Backman <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: André Backman <[email protected]>
Co-authored-by: Naveen <[email protected]>
Co-authored-by: Gabriela Gutierrez <[email protected]>
Co-authored-by: Pedro Nacht <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Co-authored-by: Ajmal Kottilingal <[email protected]>
Co-authored-by: Pedro Nacht <[email protected]>
Co-authored-by: Eugene Kliuchnikov <[email protected]>
Co-authored-by: Diogo Teles Sant'Anna <[email protected]>
Co-authored-by: Caroline <[email protected]>
Co-authored-by: jitsengupta17 <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
Co-authored-by: gowriNSN <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

BUG: High-risk write permissions only punished at top-level, low-risk permissions punished everywhere
4 participants