-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Support renamed gradle verification action and callers which pin to hash #4097
🐛 Support renamed gradle verification action and callers which pin to hash #4097
Conversation
From gradle/wrapper-validation-action's readme: "As of v3 this action has been superceded by gradle/actions/wrapper-validation" Also support actions pinned to a hash. Signed-off-by: Spencer Schrock <[email protected]>
/scdiff generate Binary-Artifacts |
Signed-off-by: Spencer Schrock <[email protected]>
nice |
This fix does not seem to work for us. We merged the CI workflow for Are we using the |
You're not using it wrong, the check (currently) assumes scorecard/checks/raw/binary_artifact.go Lines 203 to 226 in 7b07a8d
|
Thanks for the quick response! Maybe our trigger rules are not optimal. I realize someone could potentially commit a malicious But I also don't want to run it on every single commit (since I'm thinking to change the trigger rule to something like:
This seems like it would be secure. I think |
Your new trigger sounds good, and following the intention of the Binary-Artifact check, even if Scorecard has trouble giving credit for this due to some implementation limitations. We do our analysis on the tarball produced from |
What kind of change does this PR introduce?
bug fix
What is the current behavior?
gradle/wrapper-validation-action
must be present and pinned to a hashWhat is the new behavior (if this is a feature change)?**
gradle/actions/wrapper-validation
Which issue(s) this PR fixes
Fixes #2477
Fixes #2357
Related to ossf/scorecard-action#782 (comment), but requires a release (which was going to be cut today anyway)
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)