Skip to content

Releases: ossf/scorecard

v5.0.0

19 Jul 20:25
v5.0.0
ea7e27e
Compare
Choose a tag to compare

What's Changed

We’ll highlight the major changes between v4.13.1 and v5.0.0 below, as well as some of the changes between v5.0.0-rc2 and v5.0.0. For a more complete picture, see the v5.0.0-rc1 and v5.0.0-rc2 changelogs as well.

Structured Results

Structured Results is the main feature from this release. At a high level, structured results involve breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out our documentation (paying attention to lifecycle / stability guarantees). To run individual probes, use the --probes CLI flag with a comma separated list of names. You must also specify the --format probe option to see the results. Please run scorecard --help if you need more details.
Example:

scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe

For more details on the feature, please check out our blog post or the talk given at Open Source Summit NA 2024: Structured Scorecard Results: Tailor Your Own Supply-Chain Security Policies.

Maintainer Annotations

Maintainer Annotations let maintainers add context to display alongside Scorecard check results. Annotations can provide users additional information when Scorecard has an incomplete assessment of a project's security practices. To see the maintainers annotations for each check, if present, use the --show-annotations option. For example, the not-detected annotation can annotate when a maintainer fulfills a check or probe in a way that is supported by Scorecard but not identified.

For more details, check out our documentation for the feature.

Breaking Changes

API changes

The biggest change is that everything in github.com/ossf/scorecard/v4/pkg now lives in github.com/ossf/scorecard/v5/pkg/scorecard. This allows renaming of some function names and types to be less repetitive.

  • RunScorecard is now Run
  • ScorecardResult is now Result

Expected changes:

pkg.ScorecardRun() -> scorecard.Run()
pkg.ScorecardResult -> scorecard.Result

The signature of RunScorecard (now called Run) has changed to allow for fewer breaking changes in the future. For full motivation, see the associated issue. There should be fewer setup code needed than before. Callers no longer need to pass in all clients and arguments and can rely on sensible default behavior. Callers that want to customize the analysis can influence the results with our Option types.

A similar change was done with formatting the results, which now accept an option struct pointer. Using a nil pointer will use default values.

Unlikely to cause issues

These changes are technically breaking in a semver sense, but we don’t expect most users to depend on them or require changes.

  • Dependency diff functionality has been removed in #4146.
  • clients.Repo must now implement Path in #4104
  • clients.RepoClient now returns a read closer in #3912
  • Some branch protection types were renamed in #3879
  • Some sentinel errors were renamed in #4040

Checks

Binary-Artifacts

  • Binary-Artifacts check now supports the new gradle wrapper validation action, and can be pinned to a hash. (#4097, @spencerschrock)

Dependency-Update-Tool

  • ✨ Recognize scala-steward as dependency update tool by @raboof in #4130

Fuzzing

  • ⚠️ OneFuzz detection removed due to deprecation #3666

License

Packaging

  • ✨ detect sbt ci-release packaging workflows by @raboof in #4135

Pinned-Dependencies

SBOM

Vulnerabilities

  • 🌱 add stack info to osv-scanner error by @Zxilly in #4172

Probes

Other

New Contributors

Full Changelog: v4.13.1...v5.0.0

v5.0.0-rc2

07 May 21:11
v5.0.0-rc2
6b5cb27
Compare
Choose a tag to compare
v5.0.0-rc2 Pre-release
Pre-release

Important

This is a v5 prerelease candidate. There may be more breaking changes before the official v5.0.0 release.

What's Changed

Structured Results

Check Enhancements and Bug Fixes

  • Signed-Releases
    • 🐛 Fixed a Signed-Releases bug where more releases were being analyzed than intended. (#4060, @spencerschrock)
  • Code-Review
    • 🐛 Fixed an issue where Phabricator reviews weren't being parsed properly. (#4086, @spencerschrock)

Breaking Changes

  • ⚠️ errors in ErrXXX format by @cmwylie19 in #4040
  • ⚠️ Enables maintainers to write annotations for Scorecard checks and consumers to view these annotations in Scorecard UI. (experimental #3905, @gabibguti)

Docs

Other

New Contributors

Full Changelog: v5.0.0-rc1...v5.0.0-rc2

v5.0.0-rc1

12 Apr 22:10
v5.0.0-rc1
0b9dfb6
Compare
Choose a tag to compare
v5.0.0-rc1 Pre-release
Pre-release

Important

This is a v5 prerelease candidate. There may be more breaking changes before the official v5.0.0 release.

What's Changed

Structured Results

We invite users to try out a preview of Structured Results, the main feature from this release candidate. For more details on the feature, please check out the first paragraph of our probes README as well as our blog post.

At a high level, structured results involves breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out the probes/ directory. To run individual probes, use the --probes CLI flag with a comma separated list of names. You must also specify the --format probe option to see the results. Please run scorecard --help if you need more details.

Example:

scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe

Check Enhancements and Bug Fixes

  • Branch-Protection
    • ✨ Branch Protection check now also evaluates if the project requires PRs prior to make changes to the branch. This won't change anything for the users that already require reviews, but will enable score enhancement for those who can't require reviewers. (#3499, @diogoteles08)
  • Dependency-Update-Tool
    • ✨ Dependency-Update-Tool now detects Renovate config files in a .gitlab folder. (#3823, @spencerschrock)
    • 🐛 Sonatype Lift is no longer recognized as a Dependency-Update-Tool because it is retired. (#3605, @spencerschrock)
    • 🐛 Dependency-Update-Tool: ignore search commit data for repo clients which dont support it by @spencerschrock in #3756
  • Fuzzing
  • Pinned-Dependencies
    • 🐛 Pinned-Dependencies now continues after encountering runtime errors (#3515, @pnacht)
    • 🐛 Scorecard no longer considers unpinned Dockerfiles in vendor and third_party directories. (#3675, @AdamKorcz)
    • 🐛 Files downloaded by Git SHA from GitHub and executed are no longer considered as not pinned by hash. (#3694, @martincostello)
    • 🐛 Shell commands in Dockerfile here-documents are now parsed correctly by the Pinned-Dependencies check (#3774, @jkreileder)
  • Signed-Releases
    • 🐛 Fixed a bug which allowed some repos to score higher than 10 in the Signed-Releases check. (#3768, @spencerschrock)
    • ✨ Support .sigstore bundles to check for signed releases (#3772, @edgarrmondragon)
  • Vulnerabilities
    • 🐛 Projects without dependencies or packages no longer throw an error for the Vulnerabilities check. (#3803, @spencerschrock)
    • 🐛 Go stdlib vulns are removed Vulnerabilities check output (#3925, @spencerschrock)

RepoClient Improvements

  • GitHub

    • 🐛 Scorecard processes commit activity from large GitHub repos in chunks to avoid timeout issues (#3680, @spencerschrock)
  • GitLab

    • 🐛 Fix scanning for GitLab private repositories. (#3596, @gabibguti)
    • ✨ Added --commit-depth support for GitLab repos (#3672, @ashearin)
    • 🐛 Parse Gitlab Status fields to align w/Github Status and Conclusion by @ashearin in #3706
    • 🐛 Fix signed release error for empty gitlab repo by @naveensrinivasan in #3753
    • 🐛 Scorecard no longer crashes on GitLab repos with no commits (#3731, @ashearin)
    • 🐛 Fixed a bug which prevented Scorecard from analyzing some self-hosted GitLab repos. (#3819, @spencerschrock)
  • Local Directory

Other

Breaking Changes

  • File access through RepoClient now returns an io.ReadCloser, instead of the full file contents. (#3912, @spencerschrock). This enabled fixing two bugs which affect very large repos.
  • ⚠️ refactor: rename fields on Branch Protection Pull Request rules by @diogoteles08 in #3879
  • ⚠️ removerule.Remediation and switch users to probe.Remediation by @spencerschrock in #3978

Docs

New Contributors

Full Changelog: v4.13.1...v5.0.0-rc1

v4.13.1

20 Oct 21:36
v4.13.1
49c0eed
Compare
Choose a tag to compare

What's Changed

New

  • Fuzzing

  • Weekly Public Data Cron

    • 🌱 Adding all Intel public GitHub repos by @ware in #3556

Bug Fixes

Docs

New Contributors

Full Changelog: v4.13.0...v4.13.1

v4.13.0

06 Oct 17:32
v4.13.0
e1d3abc
Compare
Choose a tag to compare

What's Changed

New

Bug Fixes

Docs

New Contributors

Full Changelog: v4.12.0...v4.13.0

v4.12.0

07 Aug 21:15
7ed886f
Compare
Choose a tag to compare

This version of Scorecard supports GitLab repos by default.

This release also adds preliminary support for the scdiff command which can be used to compare changes in Scorecard scores for a repository between versions of Scorecard, as well as probe support for the Security-Policy check.

Finally, this release fixes scoring issues in the Branch-Protection and Pinned-Dependencies checks.

What's Changed

WIP

Bug Fixes

Docs

New Contributors

Full Changelog: v4.11.0...v4.12.0

v4.11.0

22 Jun 20:00
4edb078
Compare
Choose a tag to compare

What's Changed

New

  • ✨ Consider haskell-actions/hlint-scan a code scanning action by @chungyc in #2846
  • ✨ Detect fuzzing in Haskell by the presence of property tests. by @chungyc in #2843
  • ✨ The SAST check will look for workflows with the "github/codeql-action/analyze" action locally instead of the GitHub Search API endpoint by @spencerschrock in #2839
  • ✨ Scorecard checks for unpinned dependencies that are retrieved ad-hoc using nuget and dotnet CLIs ("nuget install" and "dotnet add") by @balteravishay in #2779
  • ✨ show non-compliant code changes for CI-Tests, Code-Review and SAST checks in --show-details mode by @ashishkurmi in #2835
  • ✨ Detect semantic-release as a packaging workflow by @travi in #2964
  • ✨ Detect semantic-release as a releasing workflow by @travi in #2989
  • ✨ Add support for github GHES by @patelniketm in #2999 and @rajbos in #2788
  • ✨ Detect fast-check PBT library for JavaScript Fuzzing by @dubzzz in #3073
  • ✨ Run Scorecard on packages hosted at Nuget.org using --nuget=<package>by @balteravishay in #3020

Bug Fixes

  • SAST
  • Vulnerabilities
    • 🐛 Give inconclusive Vulnerabilities score when osv-scanner panics by @spencerschrock in #2896
    • 🐛 Update osv-scanner dependency to include Vulnerabilities check fixes by @laurentS in #2981
  • Pinned-Dependencies
    • 🐛 Pip installs count for Pinned-Dependencies score by @gabibguti in #2922
  • Code-Review

Deprecations

GitLab support (WIP)

Docs

New Contributors

Full Changelog: v4.10.5...v4.11.0

v4.10.5

24 Mar 17:46
v4.10.5
27cfe92
Compare
Choose a tag to compare

Changelog

Bug fixes

  • Fixed a bug which resulted in increased API usage when running the SAST check with a Personal Access Token

GitLab support (WIP)

Full Changelog: v4.10.4...v4.10.5

Thanks for all contributors!

v4.10.4

16 Mar 17:55
v4.10.4
9831629
Compare
Choose a tag to compare

Changelog

  • 9831629 Increase recordings, switch API, and lower tolerance (#2760)
  • 8966abd Initial implementation of go-git client (#2720)
  • 603263c 🐛 Fix typo in CITests runtime errors causing duplicate Code-Review checks. (#2756)
  • c20ed9e 🌱 Update .github/workflows/goreleaser.yaml (#2755)
  • 0b45c90 🌱 Bump step-security/harden-runner from 2.2.0 to 2.2.1 (#2753)
  • 23bd295 🌱 Bump github/codeql-action from 2.2.4 to 2.2.6 (#2741)
  • fc026ef 🌱 Bump github.com/google/ko from 0.12.0 to 0.13.0 in /tools (#2742)
  • 2e04214 🌱 Bump tj-actions/changed-files from 35.6.2 to 35.7.0
  • e36b590 🌱 Bump actions/cache from 3.3.0 to 3.3.1 (#2740)
  • 6ff94eb 🐛 Handle editable pip installs (#2731)
  • 110e352 ✨ Gitlab support: RepoClient (#2655)
  • 5625dda 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.3 to 2.9.0 in /tools
  • d591e38 🌱 Add RepoClient re-use E2E tests. (#2625)
  • a7e81bb 🌱 Bump actions/cache from 3.2.6 to 3.3.0 (#2738)
  • b5254fe 🌱 Bump tj-actions/changed-files from 35.6.1 to 35.6.2 (#2736)
  • 2e6347f 🌱 Bump github.com/moby/buildkit from 0.10.3 to 0.11.4 (#2735)
  • 170af75 🐛 Updates osv-scanner dependency to 1.2.0. (#2704)
  • 5f13a66 Atomically load from accessState to avoid data race. (#2732)
  • 0c090b3 🌱 Updated the coverage for tests (#2728)
  • 0169c37 🌱 Setup cron for running as GitHub App (#2721)
  • d708c6c 🌱 Bump tj-actions/changed-files from 35.5.4 to 35.6.1
  • fb12a39 🌱 Bump github.com/google/ko in /tools
  • 0bed3da 🌱 Bump github.com/jszwec/csvutil from 1.7.1 to 1.8.0 (#2698)
  • 61866a0 🐛 Check OSS Fuzz build file for Fuzzing check (#2719)
  • c06ac74 🌱 Removed failing tests (#2718)
  • b8bc65f Add projects to cronjob (#2716)
  • def5ead 📖 update bigquery docs in README (#2714)
  • 36faeac Consider 'src/test' test directories (#2706)
  • 846fb19 Refactor githubrepo CheckRun logic (#2710)
  • 82a122b 🌱 Bump sigstore/cosign-installer from 2.8.1 to 3.0.1
  • c4bd0c5 ⚠️ Update date formats and fields to RFC3339 (#2712)
  • 8add330 📖 Fix links. (#2703)
  • 35a7dd5 🌱 Bump kubernetes-sigs/kubebuilder-release-tools
  • c7e362d 🌱 Bump step-security/harden-runner from 2.1.0 to 2.2.0
  • be8a437 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.1 to 2.8.3 in /tools (#2694)
  • 034add1 🌱 Bump k8s.io/client-go from 0.18.8 to 0.20.0
  • feb267a 🌱 Bump golang.org/x/net from 0.6.0 to 0.7.0 in /tools
  • 78069d8 Consider ko-build/setup-ko as a packaging workflow (#2692)
  • db6a26e 🌱 Bump actions/cache from 3.2.3 to 3.2.6
  • 24b779f 🌱 Bump mvdan.cc/sh/v3 from 3.5.1 to 3.6.0 (#2615)
  • 48813a3 🌱 Bump golang.org/x/net from 0.5.0 to 0.7.0 (#2680)
  • d334409 Add Azure Devops as valid CI system (#2662)
  • 047c014 🌱 Bump github/codeql-action from 2.2.3 to 2.2.4 (#2676)
  • 5e6a521 🌱 Update deps for fixing GHSA-r48q-9g5r-8q2h (#2675)
  • adb1ce3 🌱 add new github.com/intel repos (#2673)
  • 603cd92 🌱 Bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.8.1 in /tools (#2660)
  • 559b71b Invite @raghavkaul as maintainer (#2663)
  • 353e2c6 🌱 Bump tj-actions/changed-files from 35.5.0 to 35.5.4 (#2674)
  • c9f582b Limit integration tests to ones that work with the GITHUB_TOKEN. (#2672)
  • 7876a13 🌱 Temporarily skip OSS-Fuzz e2e test. (#2671)
  • 93900ac 🌱 Bump github/codeql-action from 2.2.0 to 2.2.3 (#2649)
  • 8115756 🌱 Bump peter-evans/find-comment from 2.1.0 to 2.2.1 (#2641)
  • ee8dd5d Image build pipeline (#2613)
  • d331f8e Fix typo (add s to ') (#2638)
  • ac008ec 🌱 Bump tj-actions/changed-files from 35.4.4 to 35.5.0 (#2635)
  • 0f33c37 📖 Update docs on how to run and debug locally (#2587)
  • 2ea140a ✨ Structured results for permissions (#2584)
  • 4ebe521 🌱 Bump github/codeql-action from 2.1.39 to 2.2.0 (#2618)
  • 1c6ab16 🌱 Bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#2600)
  • e6a900d Handle Docker URLs for GitHub actions workflows (#2594)
  • 3f372e9 🌱 Bump tj-actions/changed-files from 35.4.1 to 35.4.4
  • 99398db 🌱 Bump github/codeql-action from 2.1.38 to 2.1.39 (#2607)
  • 9385905 Revert "perf.: run integration tests only on approved PRs (#2609)" (#2612)
  • f25d010 🌱 Bump github.com/google/addlicense in /tools (#2608)
  • a29182d perf.: run integration tests only on approved PRs (#2609)
  • 6112c07 🌱 Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#2539)
  • f1ca6d7 🌱 Bump actions/cache from 3.0.11 to 3.2.3 (#2599)
  • 9c49fbf 🌱 Bump step-security/harden-runner from 2.0.0 to 2.1.0 (#2604)
  • 1b5bdb4 🌱 Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#2601)
  • 67daacc 🌱 Bump tj-actions/changed-files from 35.2.0 to 35.4.1 (#2598)
  • fc299e3 🌱 Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#2585)
  • 2704fc5 🌱 Bump github.com/xanzy/go-gitlab from 0.77.0 to 0.78.0 (#2591)
  • 4a9c774 🌱 Bump github/codeql-action from 2.1.36 to 2.1.38 (#2597)
  • 811bf75 Add correct contact to CODE_OF_CONDUCT.md (#2508)
  • 47be523 🐛 Retain tag when remediating unpinned docker images. (#2595)
  • b30bc79 🌱 Bump golang.org/x/tools from 0.4.0 to 0.5.0 (#2592)
  • 3e4dca5 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2586)
  • 75adffe 🌱 Bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#2562)
  • 63ffde8 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 (#2590)
  • bf516e1 🐛 Use leveled scoring for Code Review check (#2542)
  • ed9576c Update name of Branch Protection Rule (#2589)
  • 6ded57e 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 in /tools (#2588)
  • 78d0903 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2573)
  • be695d1 🐛 Add wasm files as binary artifacts (#2548)
  • a2bc29a 🌱 Bump actions/checkout from 3.2.0 to 3.3.0 (#2583)
  • 1d15e9c classic personal access tokens required (#2565)
  • 7c0edac 🌱 Bump nick-invision/retry from 2.8.2 to 2.8.3 (#2576)
  • 6ff06a3 🌱 Bump actions/setup-go from 3.3.1 to 3.5.0 (#2575)
  • 72d4e98 🌱 Bump tj-actions/changed-files from 35.1.0 to 35.2.0 (#2574)
  • cf3a43f 🌱 Bump ossf/scorecard-action from 2.1.1 to 2.1.2 (#2570)
  • 4d5cbb4 🐛 Fix Renovate bot typo (#2569)
  • 90cdd98 Disable scorecard on PRs (#2571)
  • 6bf19d5 🌱 Switch from paths-ignore to changed-files action to skip required checks. (#2566)
  • c6d7680 🌱 Bump github.com/xanzy/go-gitlab from 0.76.0 to 0.77.0 (#2563)
  • 7e64b36 🌱 Bump golang.org/x/tools from 0.3.0 to 0.4.0 (#2525)

Thanks for all contributors!

v4.10.3

16 Mar 17:54
v4.10.3
9ad9757
Compare
Choose a tag to compare

Changelog

  • 9ad9757 Increase recordings, switch API, and lower tolerance
  • 8966abd Initial implementation of go-git client (#2720)
  • 603263c 🐛 Fix typo in CITests runtime errors causing duplicate Code-Review checks. (#2756)
  • c20ed9e 🌱 Update .github/workflows/goreleaser.yaml (#2755)
  • 0b45c90 🌱 Bump step-security/harden-runner from 2.2.0 to 2.2.1 (#2753)
  • 23bd295 🌱 Bump github/codeql-action from 2.2.4 to 2.2.6 (#2741)
  • fc026ef 🌱 Bump github.com/google/ko from 0.12.0 to 0.13.0 in /tools (#2742)
  • 2e04214 🌱 Bump tj-actions/changed-files from 35.6.2 to 35.7.0
  • e36b590 🌱 Bump actions/cache from 3.3.0 to 3.3.1 (#2740)
  • 6ff94eb 🐛 Handle editable pip installs (#2731)
  • 110e352 ✨ Gitlab support: RepoClient (#2655)
  • 5625dda 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.3 to 2.9.0 in /tools
  • d591e38 🌱 Add RepoClient re-use E2E tests. (#2625)
  • a7e81bb 🌱 Bump actions/cache from 3.2.6 to 3.3.0 (#2738)
  • b5254fe 🌱 Bump tj-actions/changed-files from 35.6.1 to 35.6.2 (#2736)
  • 2e6347f 🌱 Bump github.com/moby/buildkit from 0.10.3 to 0.11.4 (#2735)
  • 170af75 🐛 Updates osv-scanner dependency to 1.2.0. (#2704)
  • 5f13a66 Atomically load from accessState to avoid data race. (#2732)
  • 0c090b3 🌱 Updated the coverage for tests (#2728)
  • 0169c37 🌱 Setup cron for running as GitHub App (#2721)
  • d708c6c 🌱 Bump tj-actions/changed-files from 35.5.4 to 35.6.1
  • fb12a39 🌱 Bump github.com/google/ko in /tools
  • 0bed3da 🌱 Bump github.com/jszwec/csvutil from 1.7.1 to 1.8.0 (#2698)
  • 61866a0 🐛 Check OSS Fuzz build file for Fuzzing check (#2719)
  • c06ac74 🌱 Removed failing tests (#2718)
  • b8bc65f Add projects to cronjob (#2716)
  • def5ead 📖 update bigquery docs in README (#2714)
  • 36faeac Consider 'src/test' test directories (#2706)
  • 846fb19 Refactor githubrepo CheckRun logic (#2710)
  • 82a122b 🌱 Bump sigstore/cosign-installer from 2.8.1 to 3.0.1
  • c4bd0c5 ⚠️ Update date formats and fields to RFC3339 (#2712)
  • 8add330 📖 Fix links. (#2703)
  • 35a7dd5 🌱 Bump kubernetes-sigs/kubebuilder-release-tools
  • c7e362d 🌱 Bump step-security/harden-runner from 2.1.0 to 2.2.0
  • be8a437 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.1 to 2.8.3 in /tools (#2694)
  • 034add1 🌱 Bump k8s.io/client-go from 0.18.8 to 0.20.0
  • feb267a 🌱 Bump golang.org/x/net from 0.6.0 to 0.7.0 in /tools
  • 78069d8 Consider ko-build/setup-ko as a packaging workflow (#2692)
  • db6a26e 🌱 Bump actions/cache from 3.2.3 to 3.2.6
  • 24b779f 🌱 Bump mvdan.cc/sh/v3 from 3.5.1 to 3.6.0 (#2615)
  • 48813a3 🌱 Bump golang.org/x/net from 0.5.0 to 0.7.0 (#2680)
  • d334409 Add Azure Devops as valid CI system (#2662)
  • 047c014 🌱 Bump github/codeql-action from 2.2.3 to 2.2.4 (#2676)
  • 5e6a521 🌱 Update deps for fixing GHSA-r48q-9g5r-8q2h (#2675)
  • adb1ce3 🌱 add new github.com/intel repos (#2673)
  • 603cd92 🌱 Bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.8.1 in /tools (#2660)
  • 559b71b Invite @raghavkaul as maintainer (#2663)
  • 353e2c6 🌱 Bump tj-actions/changed-files from 35.5.0 to 35.5.4 (#2674)
  • c9f582b Limit integration tests to ones that work with the GITHUB_TOKEN. (#2672)
  • 7876a13 🌱 Temporarily skip OSS-Fuzz e2e test. (#2671)
  • 93900ac 🌱 Bump github/codeql-action from 2.2.0 to 2.2.3 (#2649)
  • 8115756 🌱 Bump peter-evans/find-comment from 2.1.0 to 2.2.1 (#2641)
  • ee8dd5d Image build pipeline (#2613)
  • d331f8e Fix typo (add s to ') (#2638)
  • ac008ec 🌱 Bump tj-actions/changed-files from 35.4.4 to 35.5.0 (#2635)
  • 0f33c37 📖 Update docs on how to run and debug locally (#2587)
  • 2ea140a ✨ Structured results for permissions (#2584)
  • 4ebe521 🌱 Bump github/codeql-action from 2.1.39 to 2.2.0 (#2618)
  • 1c6ab16 🌱 Bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#2600)
  • e6a900d Handle Docker URLs for GitHub actions workflows (#2594)
  • 3f372e9 🌱 Bump tj-actions/changed-files from 35.4.1 to 35.4.4
  • 99398db 🌱 Bump github/codeql-action from 2.1.38 to 2.1.39 (#2607)
  • 9385905 Revert "perf.: run integration tests only on approved PRs (#2609)" (#2612)
  • f25d010 🌱 Bump github.com/google/addlicense in /tools (#2608)
  • a29182d perf.: run integration tests only on approved PRs (#2609)
  • 6112c07 🌱 Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#2539)
  • f1ca6d7 🌱 Bump actions/cache from 3.0.11 to 3.2.3 (#2599)
  • 9c49fbf 🌱 Bump step-security/harden-runner from 2.0.0 to 2.1.0 (#2604)
  • 1b5bdb4 🌱 Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#2601)
  • 67daacc 🌱 Bump tj-actions/changed-files from 35.2.0 to 35.4.1 (#2598)
  • fc299e3 🌱 Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#2585)
  • 2704fc5 🌱 Bump github.com/xanzy/go-gitlab from 0.77.0 to 0.78.0 (#2591)
  • 4a9c774 🌱 Bump github/codeql-action from 2.1.36 to 2.1.38 (#2597)
  • 811bf75 Add correct contact to CODE_OF_CONDUCT.md (#2508)
  • 47be523 🐛 Retain tag when remediating unpinned docker images. (#2595)
  • b30bc79 🌱 Bump golang.org/x/tools from 0.4.0 to 0.5.0 (#2592)
  • 3e4dca5 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2586)
  • 75adffe 🌱 Bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#2562)
  • 63ffde8 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 (#2590)
  • bf516e1 🐛 Use leveled scoring for Code Review check (#2542)
  • ed9576c Update name of Branch Protection Rule (#2589)
  • 6ded57e 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 in /tools (#2588)
  • 78d0903 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2573)
  • be695d1 🐛 Add wasm files as binary artifacts (#2548)
  • a2bc29a 🌱 Bump actions/checkout from 3.2.0 to 3.3.0 (#2583)
  • 1d15e9c classic personal access tokens required (#2565)
  • 7c0edac 🌱 Bump nick-invision/retry from 2.8.2 to 2.8.3 (#2576)
  • 6ff06a3 🌱 Bump actions/setup-go from 3.3.1 to 3.5.0 (#2575)
  • 72d4e98 🌱 Bump tj-actions/changed-files from 35.1.0 to 35.2.0 (#2574)
  • cf3a43f 🌱 Bump ossf/scorecard-action from 2.1.1 to 2.1.2 (#2570)
  • 4d5cbb4 🐛 Fix Renovate bot typo (#2569)
  • 90cdd98 Disable scorecard on PRs (#2571)
  • 6bf19d5 🌱 Switch from paths-ignore to changed-files action to skip required checks. (#2566)
  • c6d7680 🌱 Bump github.com/xanzy/go-gitlab from 0.76.0 to 0.77.0 (#2563)
  • 7e64b36 🌱 Bump golang.org/x/tools from 0.3.0 to 0.4.0 (#2525)

Thanks for all contributors!