Skip to content

Commit

Permalink
Merge branch 'main' into recognize-scala-steward-as-dependency-update…
Browse files Browse the repository at this point in the history
…-tool
  • Loading branch information
spencerschrock authored May 30, 2024
2 parents 571a368 + 6b49140 commit 0e8dcc0
Show file tree
Hide file tree
Showing 14 changed files with 111 additions and 28 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand All @@ -73,7 +73,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
languages: ${{ matrix.language }}
queries: +security-extended
Expand All @@ -85,7 +85,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -99,4 +99,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
2 changes: 1 addition & 1 deletion .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ jobs:
steps:
- name: Harden Runner
if: (needs.docs_only_check.outputs.docs_only != 'true')
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gitlab.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
environment: gitlab
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand All @@ -44,7 +44,7 @@ jobs:
needs: [approve]
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: check-linter
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down Expand Up @@ -95,7 +95,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -143,7 +143,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down Expand Up @@ -172,7 +172,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -221,7 +221,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Cache builds
Expand Down Expand Up @@ -260,7 +260,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -302,7 +302,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down Expand Up @@ -330,7 +330,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -365,7 +365,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publishimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
15 changes: 14 additions & 1 deletion MAINTAINERS.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,25 @@
# Maintainers

## OpenSSF Scorecard Steering Committee

The OpenSSF Scorecard project is governed by a Steering Committee, whose operating procedures are detailed in the [project charter](/CHARTER.md).

The current standing Steering Committee members are as follows:

- Stephen Augustus ([@justaugustus](https://github.com/justaugustus)), Cisco
- Raghav Kaul ([@raghavkaul](https://github.com/raghavkaul)), Google
- Spencer Schrock ([@spencerschrock](https://github.com/spencerschrock)), Google
- Laurent Simon ([@laurentsimon](https://github.com/laurentsimon)), Independent
- Naveen Srinivasan ([@naveensrinivasan](https://github.com/naveensrinivasan)), Independent
- Jeff Mendoza ([@jeffmendoza](https://github.com/jeffmendoza)), Kusari

## `scorecard-maintainers`

- Stephen Augustus ([@justaugustus](https://github.com/justaugustus)), Cisco
- Raghav Kaul ([@raghavkaul](https://github.com/raghavkaul)), Google
- Spencer Schrock ([@spencerschrock](https://github.com/spencerschrock)), Google
- Azeem Shaikh [@azeemshaikh38](https://github.com/azeemshaikh38), Google
- Laurent Simon ([@laurentsimon](https://github.com/laurentsimon)), Google
- Laurent Simon ([@laurentsimon](https://github.com/laurentsimon)), Independent
- Naveen Srinivasan ([@naveensrinivasan](https://github.com/naveensrinivasan)), Independent

## `scorecard-doc-maintainers`
Expand Down
61 changes: 61 additions & 0 deletions docs/repositories.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Repository Guidelines

This document attempts to outline a structure for creating and associating
GitHub repositories with the OpenSSF Scorecard project.
<!-- TODO: It also describes how and when repositories are removed. -->

<!-- TODO: Do we need a separate issue template for these requests? e.g.,
Requests for creating, transferring, modifying, or archiving repositories can be made by [opening a request](https://github.com/ossf/scorecard/issues/new/choose) against this repository.
-->

- [Approval](#approval)
- [Requirements](#requirements)
- [Donated repositories](#donated-repositories)
- [Copyright headers](#copyright-headers)
- [Attribution](#attribution)

## Approval

New repositories require approval from the OpenSSF Scorecard Steering Committee.

## Requirements

The following requirements apply to all OpenSSF Scorecard repositories:

- Must be identified in the OpenSSF Scorecard project documentation
- Must reside in the [OpenSSF GitHub organization](https://github.com/ossf)
- Must utilize the topic [`openssf-scorecard`](https://github.com/topics/openssf-scorecard) (ref: [managing topics](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics))
- Must adopt the OpenSSF Scorecard [Code of Conduct](/CODE_OF_CONDUCT.md)
- Must adopt an appropriate license, in compliance with the Intellectual Property Policy of OpenSSF Scorecard [charter](/CHARTER.md)
- Must include headers across all files that attribute copyright as follows:

```text
Copyright [YYYY] OpenSSF Scorecard Authors
```

- Must enforce usage of the Developer Certificate of Origin (DCO) via the [DCO GitHub Application](https://github.com/apps/dco)
- All privileges to the repository must be defined via [GitHub teams](https://docs.github.com/en/organizations/organizing-members-into-teams/about-teams), [instead of individuals](https://github.com/ossf/tac/blob/main/policies/access.md#teams-not-individuals)
- All code review permissions must be defined via [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)
- All contributors with privileges to the repository must also be active members of the OpenSSF Scorecard project

## Donated repositories

The OpenSSF Scorecard project may at times accept repository donations.

Donated repositories must:

- Adhere to the [requirements for all project repositories](#requirements)
<!-- TODO: Need documentation on license scans and acceptable licenses for dependencies e.g.,
- Licenses of dependencies are acceptable; please review the [allowed-third-party-license-policy.md](https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md) and [exceptions](https://github.com/cncf/foundation/tree/main/license-exceptions). If your dependencies are not covered, then please open a `License Exception Request` issue in [cncf/foundation](https://github.com/cncf/foundation/issues) repository.
-->

### Copyright headers

The addition of required copyright headers to code created by the contributors
can occur post-transfer, but should ideally occur shortly thereafter.

***Note that copyright notices should only be modified or removed by the people or organizations named in the notice.***

## Attribution

These guidelines were drafted with inspiration from the [Kubernetes project's repository guidelines](https://github.com/kubernetes/community/blob/e65e7141f8c2bb82f33762c35e19059e9c5d034e/github-management/kubernetes-repositories.md).
17 changes: 13 additions & 4 deletions pkg/scorecard_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"github.com/golang/mock/gomock"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"sigs.k8s.io/release-utils/version"

"github.com/ossf/scorecard/v5/checker"
"github.com/ossf/scorecard/v5/clients"
Expand Down Expand Up @@ -128,6 +129,10 @@ func TestRunScorecard(t *testing.T) {
uri string
commitSHA string
}
// These values depend on the environment,
// so don't encode particular expectations
// in the test:
versionInfo := version.GetVersionInfo()
tests := []struct {
name string
args args
Expand All @@ -145,8 +150,8 @@ func TestRunScorecard(t *testing.T) {
Name: "github.com/ossf/scorecard",
},
Scorecard: ScorecardInfo{
Version: "devel",
CommitSHA: "unknown",
Version: versionInfo.GitVersion,
CommitSHA: versionInfo.GitCommit,
},
},
wantErr: false,
Expand Down Expand Up @@ -194,6 +199,10 @@ func TestRunScorecard(t *testing.T) {

func TestExperimentalRunProbes(t *testing.T) {
t.Parallel()
// These values depend on the environment,
// so don't encode particular expectations
// in the test:
versionInfo := version.GetVersionInfo()
type args struct {
uri string
commitSHA string
Expand Down Expand Up @@ -230,8 +239,8 @@ func TestExperimentalRunProbes(t *testing.T) {
},
},
Scorecard: ScorecardInfo{
Version: "devel",
CommitSHA: "unknown",
Version: versionInfo.GitVersion,
CommitSHA: versionInfo.GitCommit,
},
Findings: []finding.Finding{
{
Expand Down

0 comments on commit 0e8dcc0

Please sign in to comment.