Upgrade scorecard version (#1)

* :seedling: Remove go.mod replaces (#3440)

* remove old replace directives.

Signed-off-by: Spencer Schrock <[email protected]>

* Remove dgrijalva/jwt-go replace.

Project now maintained at github.com/golang-jwt/jwt. So it's unused.

Signed-off-by: Spencer Schrock <[email protected]>

* remove replace on unused github.com/buger/jsonparser

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/gorilla/handlers replace.

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/miekg/dns

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/ulikunitz/xz

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/satori/go.uuid

Signed-off-by: Spencer Schrock <[email protected]>

* replace directive no longer needed for github.com/opencontainers/image-spec.

Signed-off-by: Spencer Schrock <[email protected]>

* potentially unneeded replace for github.com/emicklei/go-restful

Signed-off-by: Spencer Schrock <[email protected]>

* potentially unneeded replace for github.com/docker/distribution

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Bump actions/cache from 3.3.1 to 3.3.2 (#3463)

Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8...704facf57e6136b1bc63b828d79edcd491f0ee84)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#3459)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/0b7f8abb1508181956e8e162db84b466c27e18ce...a8a3f3ad30e3422c9c7b888a15615d19a852ae32)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#3461)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.8 to 3.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f6fff72a3217f580d5afd49a46826795305b63c7...6c5ccdad469c9f8a2996bfecaec55a631a347034)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.0.0 to 39.0.2 (#3470)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.0 to 39.0.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/48566bbcc22ceb7c5809ebdd27377309f2c3de8c...6ee9cdc5816333acda68e01cf12eedc619e28316)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3467)

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.6.0 to 2.7.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.6.0...v2.7.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump cloud.google.com/go/bigquery from 1.54.0 to 1.55.0 (#3471)

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.54.0 to 1.55.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.54.0...bigquery/v1.55.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ✨ Support Branch-Protection via GitHub Repository Rules (#3354)

* repo rulesets via v4 api

Signed-off-by: Peter Wagner <[email protected]>

* good enough fnmatch implementation.

Signed-off-by: Spencer Schrock <[email protected]>

* good enough rulesMatchingBranch

Signed-off-by: Peter Wagner <[email protected]>

* apply matching repo rules to branch protection settings

Signed-off-by: Peter Wagner <[email protected]>

* rules: consider admins and require checks

Signed-off-by: Peter Wagner <[email protected]>

* non-structural chanages from PR feedback

Signed-off-by: Peter Wagner <[email protected]>

* fetch default branch name during repo rules query

Signed-off-by: Peter Wagner <[email protected]>

* Testing applyRepoRules

Tests assume a single rule is being applied to a branch, which might be
guarded by a legacy branch protection rule.

I think this logic gets problematic when there are multiple rules
overlaid on the same branch: the "the existing rules does not enforce
for admins, but i do and therefore this branch now does" will give
false-positives.

Signed-off-by: Peter Wagner <[email protected]>

* Test_applyRepoRules: builder and standardize names

Signed-off-by: Peter Wagner <[email protected]>

* attempt to upgrade/downgrade EnforceAdmins as each rule is applied

Signed-off-by: Peter Wagner <[email protected]>

* simplify enforce admin for now.

Signed-off-by: Spencer Schrock <[email protected]>

* handle merging pull request reviews

Signed-off-by: Spencer Schrock <[email protected]>

* handle merging check rules

Signed-off-by: Spencer Schrock <[email protected]>

* handle last push approval

Signed-off-by: Spencer Schrock <[email protected]>

* handle linear history

Signed-off-by: Spencer Schrock <[email protected]>

* use constants for github rule types.

Signed-off-by: Spencer Schrock <[email protected]>

* add status check test.

Signed-off-by: Spencer Schrock <[email protected]>

* add e2e test for repo rules.

Signed-off-by: Spencer Schrock <[email protected]>

* handle nil branch name data

Signed-off-by: Spencer Schrock <[email protected]>

* add tracking issue.

Signed-off-by: Spencer Schrock <[email protected]>

* fix precedence in if statement

Signed-off-by: Spencer Schrock <[email protected]>

* include repo rules in the check docs.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Peter Wagner <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>

* 🌱 workflows/stale: Update workflow to increase operations-per-run to process more issues (#3483)

* Update workflow to increase operations per run to process more issues

* 🌱 workflows/stale: Increased operations-per-run from default and reduced days to close stale issues

* Update URI() for GitLab repos. Add fuzzing test (#3477)

Signed-off-by: Raghav Kaul <[email protected]>

* :bug: Print Info in Empty Repo Scans (#3426)

* issue 2157 changes

Signed-off-by: leec94 <[email protected]>

* incorporated feedback

Signed-off-by: leec94 <[email protected]>

* making the linter happy

Signed-off-by: leec94 <[email protected]>

* changing to local variable, testing still not working

Signed-off-by: leec94 <[email protected]>

* update tests to ignore date

Signed-off-by: leec94 <[email protected]>

* ran through linter

Signed-off-by: leec94 <[email protected]>

* resolving suggestions

Signed-off-by: leec94 <[email protected]>

---------

Signed-off-by: leec94 <[email protected]>

* :seedling: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 (#3478)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.6.0 to 5.0.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/5fdedb94abba051217030cc86d4523cf3f02243d...7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.9.0 (#3479)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.1 to 5.9.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.8.1...v5.9.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/osv-scanner from 1.3.6 to 1.4.0 (#3481)

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.6 to 1.4.0.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.6...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.0.2 to 39.1.0 (#3488)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.2 to 39.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/6ee9cdc5816333acda68e01cf12eedc619e28316...8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :book: Add webviewer link (#3490)

* Update README.md

Add link to webviewer

* Update faq.md

Update webviewer link in FAQ

* Update README.md

Typo

* Update faq.md

Linebreak

* 🌱 workflows/stale: Remove issue auto-close (#3493)

* :seedling: Reduce confusion around codecov check status. (#3492)

With our current upload setup, it will always show a drop of 6-7%.
This is confusing to contributors, so make the check always pass.
Also fixes the threshold for the patch coverage.

Signed-off-by: Spencer Schrock <[email protected]>

* :book: Add gitlab links to viewer example (#3494)

* Update README.md

Signed-off-by: olivekl <[email protected]>

* Update faq.md

Signed-off-by: olivekl <[email protected]>

---------

Signed-off-by: olivekl <[email protected]>

* :bug: Fix npe for GitLab repos without license API data (#3500)

Signed-off-by: Raghav Kaul <[email protected]>

* :seedling: Bump tj-actions/changed-files from 39.1.0 to 39.1.2 (#3504)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.0 to 39.1.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d...41960309398d165631f08c5df47a11147e14712b)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/checkout from 4.0.0 to 4.1.0 (#3511)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/3df4ab11eba7bda6032a0b82a6bb43b11571feac...8ade135a41bc03ea155e62e844d188df1ea18608)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :sparkles: scdiff: add basic stats command to count scores by buckets (#3458)

* wip

Signed-off-by: Spencer Schrock <[email protected]>

* output via tabwriter

Signed-off-by: Spencer Schrock <[email protected]>

* specify by check.

Signed-off-by: Spencer Schrock <[email protected]>

* Return aggregate score when unmarshalling.

Signed-off-by: Spencer Schrock <[email protected]>

* convert from score to bucket in one place. use aggregate score from func

Signed-off-by: Spencer Schrock <[email protected]>

* fix forgotten usage of ExperimentalFromJSON2

Signed-off-by: Spencer Schrock <[email protected]>

* use sentinel errors.

Signed-off-by: Spencer Schrock <[email protected]>

* move counting to own func for testability

Signed-off-by: Spencer Schrock <[email protected]>

* remove unneeded fields from results for readability.

Signed-off-by: Spencer Schrock <[email protected]>

* add test for parse errors.

Signed-off-by: Spencer Schrock <[email protected]>

* share max result size for any bufio.Scanner which reads results.

Signed-off-by: Spencer Schrock <[email protected]>

* add basic overall test for calcing stats.

Signed-off-by: Spencer Schrock <[email protected]>

* make missing file argument generic.

Signed-off-by: Spencer Schrock <[email protected]>

* validate min args with cobra.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Switch test import to remove gotest.tools dependency. (#3501)

Signed-off-by: Spencer Schrock <[email protected]>

* :bug: Set repo commit SHA in results after fetching successfully. (#3514)

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Don't close stale issues explicitly (#3513)

Issues are still getting closed after https://github.com/ossf/scorecard/pull/3493.
I assume there's a default value being used somewhere.

Signed-off-by: Spencer Schrock <[email protected]>

* :sparkles: Move "EnforcesAdmins" to tier 5 Branch-Protection (#3502)

* Remove EnforceAdmins from tier 1.

Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1.
The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them.

Signed-off-by: Spencer Schrock <[email protected]>

* move enforce admins to tier 5.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :bug: Pinned-Dependencies: only score detected ecosystems (#3436)

* feat: Define if dependency is pinned or unpinned

Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager  identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Convert diff var types to pointer

We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Pinned Dependency field type

Field needs to be a pointer to work when accessing values on evaluation.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Count pinned and unpinned deps

We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Flag not applicable ecossystems

If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Score only applicable ecossystems

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: If no dependencies then create inconclusive score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: GitHub Actions score and logs

Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Pinned dependencies score

Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages,  add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Ecossystems score and logs

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Remove deleted maxScore function test

When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Adding GitHub Actions dependencies to result

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Update GitHub Actions result

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Update pip installs result

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Handle if nuget dependency is pinned or unpinned

Signed-off-by: Gabriela Gutierrez <[email protected]>

* tests: Fix check warnings for unpinned dependencies

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: GitHub Actions pinned log

If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* Revert rename `asPointer` to `asStringPointer`

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Handle deps with parsing error and undefined pinning

When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Delete unecessary test

We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Add missing dep Location cases

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Simplify Dockerfile pinned as name logic

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: If ecossystem is not found show debug log

If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix e2e tests and more unit tests

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Iterate all dependency types for final score

Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Proportional score

We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: GHA weights in proportional score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix scores and logs checking

Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix e2e test

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Rename to ProportionalScoreWeighted

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Var declarations to create proportional score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Remove unnecessary pointer

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Dependencies priority declaration

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Ecosystem spelling

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Handle 0 weight and 0 total when creating proportional weighted score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Revert -d flag identification change

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: npm ci command is npm download and is pinned

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Unexport error variable to other packages

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Simplify no score groups condition

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Log proportion of dependencies pinned

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix unit tests to include info logs

The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix e2e tests to include info logs

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter error

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3497)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 (#3496)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.91.1 to 0.92.1 (#3517)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.91.1 to 0.92.1.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.91.1...v0.92.1)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* 📖 Update docs for Signed-Releases check (#3469)

* Update docs for signed-releases

Signed-off-by: Raghav Kaul <[email protected]>

* update docs

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>

* :seedling: Bump github.com/rhysd/actionlint from 1.6.15 to 1.6.26 (#3489)

* bump actionlint.

Signed-off-by: Spencer Schrock <[email protected]>

* fix unit tests.

Signed-off-by: Spencer Schrock <[email protected]>

* include latest update.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 (#3523)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.10...v1.28.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ✨ Add --output argument to write results to file (#3482)

* feat: Create output file argument

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Write results to output file

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Default results format output

Print results headline to output, which may be a file.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Log start and end of checks work to console

Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix options unit tests

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Output option content and shorthand

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Output to file with correct format

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix helper function with linter error

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Define output to console or file inside FormatResults

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Remove intermediate variable to define output

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix error log

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Close output file before write results

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix unit test

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix remove file even if test fails

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix fail test cases

Fail test if cannot format results or cannot read real or expected outputs.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Copyright notice year and license header spacing

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Rename Output to ResultsFile

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <[email protected]>

* Revert "feat: Log start and end of checks work to console"

This reverts commit c4a00a5ca7268d91940dd2784277373e630fcad2.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Print results headline in default format

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix default format result test

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Close output only when it's file

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter error

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>

* :seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (#3532)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/8ca2b8b2ece13480cda6dacd3511b49857a23c09...1b05615854632b887b69ae1be8cbefe72d3ae423)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.1.2 to 39.2.1 (#3531)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/41960309398d165631f08c5df47a11147e14712b...db153baf731265ad02cd490b07f470e2d55e3345)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Fix race condition in output file test. (#3533)

Signed-off-by: Spencer Schrock <[email protected]>

* :book: Fix documentation typos (#3505)

* fix typo

Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

* fix typo

Signed-off-by: omahs <[email protected]>

* fix typo

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

---------

Signed-off-by: omahs <[email protected]>

* :sparkles: broaden job matcher for semantic release (#3506)

* feat: broaden job matcher for semantic release

Signed-off-by: secustor <[email protected]>

* tests(checks/permissions): add tests for semantic release if using pnpm and yarn

Signed-off-by: secustor <[email protected]>

---------

Signed-off-by: secustor <[email protected]>

* :seedling: Bump nick-invision/retry from 2.8.3 to 2.9.0 (#3519)

Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0.
- [Release notes](https://github.com/nick-invision/retry/releases)
- [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js)
- [Commits](https://github.com/nick-invision/retry/compare/943e742917ac94714d2f408a0e8320f2d1fcafcd...14672906e672a08bd6eeb15720e9ed3ce869cdd4)

---
updated-dependencies:
- dependency-name: nick-invision/retry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.92.1 to 0.92.3 (#3528)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.1...v0.92.3)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/otiai10/copy from 1.12.0 to 1.14.0 (#3527)

Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0.
- [Release notes](https://github.com/otiai10/copy/releases)
- [Commits](https://github.com/otiai10/copy/compare/v1.12.0...v1.14.0)

---
updated-dependencies:
- dependency-name: github.com/otiai10/copy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/osv-scanner from 1.4.0 to 1.4.1 (#3536)

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.4.0...v1.4.1)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.92.3 to 0.93.0 (#3537)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.3...v0.93.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :sparkles: scdiff: Limit generating results to specific checks (#3535)

* accept checks arg when generating golden.

Signed-off-by: Spencer Schrock <[email protected]>

* dont shadow import

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Add probe test utility (#3541)

Signed-off-by: AdamKorcz <[email protected]>

* :seedling: Sort fields of raw results alphabetically (#3540)

Signed-off-by: AdamKorcz <[email protected]>
Co-authored-by: laurentsimon <[email protected]>

* :seedling: Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#3544)

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/08b4669551908b1024bb425080c797723083c031...483ef80eb98fb506c348f7d62e28055e49fe2398)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (#3545)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.93.0 to 0.93.1 (#3546)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.0 to 0.93.1.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.0...v0.93.1)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump distroless/base from `27647a6` to `29da700` and golang from `ec457a2` to `e9ebfe9` (#3548)

* bump distroless.

Signed-off-by: Spencer Schrock <[email protected]>

* bump golang 1.21

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Bump cloud.google.com/go/bigquery from 1.55.0 to 1.56.0 (#3538)

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.55.0 to 1.56.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.55.0...bigquery/v1.56.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Add OutcomeNotApplicable (#3539)

Signed-off-by: AdamKorcz <[email protected]>

* :sparkles: Add additional fuzzing probes (#3473)

* Extend with additional fuzzing probes

Signed-off-by: David Korczynski <[email protected]>

* fix formatting

Signed-off-by: David Korczynski <[email protected]>

* cleanup formatting

Signed-off-by: David Korczynski <[email protected]>

* make skip testing optional

Signed-off-by: David Korczynski <[email protected]>

* address reviews

Signed-off-by: David Korczynski <[email protected]>

* add todo

Signed-off-by: David Korczynski <[email protected]>

* nit

Signed-off-by: David Korczynski <[email protected]>

* nit

Signed-off-by: David Korczynski <[email protected]>

* add swift fuzzing probe

Signed-off-by: David Korczynski <[email protected]>

* avoid changing OnMatchingFileContentDo

Signed-off-by: David Korczynski <[email protected]>

* nit

Signed-off-by: David Korczynski <[email protected]>

* undo matching file content extension

Signed-off-by: David Korczynski <[email protected]>

* nit: fix constant

Signed-off-by: David Korczynski <[email protected]>

* test all fileMatchPatterns per client

Signed-off-by: David Korczynski <[email protected]>

* fix test logging counts

Signed-off-by: David Korczynski <[email protected]>

* nit

Signed-off-by: David Korczynski <[email protected]>

---------

Signed-off-by: David Korczynski <[email protected]>

* :book: fix "default" typo (#3543)

Signed-off-by: guoguangwu <[email protected]>

* :seedling: checks/raw: fix struct alignment linter issue (#3550)

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Add map to Finding (#3558)

Signed-off-by: AdamKorcz <[email protected]>

* :seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (#3563)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump golang.org/x/net from 0.14.0 to 0.17.0 in /tools (#3562)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.14.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Adding all Intel public GitHub repos (#3556)

Signed-off-by: Ryan Ware <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 (#3551)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3552)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#3557)

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump kubernetes-sigs/kubebuilder-release-tools (#3553)

Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases)
- [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/kubebuilder-release-tools/compare/4f3d1085b4458a49ed86918b4b55505716715b77...d8367c29de8af903319d3a76de2436672515729b)

---
updated-dependencies:
- dependency-name: kubernetes-sigs/kubebuilder-release-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :bug: Fix wrong quotes (#3565)

Signed-off-by: AdamKorcz <[email protected]>

* :seedling: Add new outcome to UnmarshalYAML (#3566)

Signed-off-by: AdamKorcz <[email protected]>

* :bug: scdiff: fix generate cmd when no --checks arg provided. (#3570)

Signed-off-by: Spencer Schrock <[email protected]>

* :sparkles: scdiff: improve `compare` usability (#3573)

* fallback to cron style when parsing dates.

The cron output was never updated in #2712. In the interim, support both formats.

Signed-off-by: Spencer Schrock <[email protected]>

* continue on first diff, to highlight all differences.

Signed-off-by: Spencer Schrock <[email protected]>

* tests for date fallback.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :sparkles: Add fast-check test runners integrations (#3568)

Signed-off-by: Pierre Cavin <[email protected]>

* :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3575)

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.7.0...v2.8.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.2.1 to 39.2.3 (#3577)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.1 to 39.2.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/db153baf731265ad02cd490b07f470e2d55e3345...95690f9ece77c1740f4a55b7f1de9023ed6b1f87)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/ko from 0.14.1 to 0.15.0 in /tools (#3578)

Bumps [github.com/google/ko](https://github.com/google/ko) from 0.14.1 to 0.15.0.
- [Release notes](https://github.com/google/ko/releases)
- [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/ko/compare/v0.14.1...v0.15.0)

---
updated-dependencies:
- dependency-name: github.com/google/ko
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/checkout from 4.1.0 to 4.1.1 (#3580)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :bug: SAST detect new GitHub app slug for CodeQL (#3591)

* Fix SAST no longer working for CodeQL

The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits.

Signed-off-by: martincostello <[email protected]>

* Fix lint warning

Fix lint warning.

Signed-off-by: martincostello <[email protected]>

---------

Signed-off-by: martincostello <[email protected]>

* :seedling: enable the golangci-lint `bugs` preset (#3583)

* enable bugs preset

Signed-off-by: Spencer Schrock <[email protected]>

* fix noctx linter

Signed-off-by: Spencer Schrock <[email protected]>

* fix bodyclose linter

Signed-off-by: Spencer Schrock <[email protected]>

* fix contextcheck linter

Signed-off-by: Spencer Schrock <[email protected]>

* This ignores all existing cases of musttag linter complaints.

This analyzer seems useful in the future, but some of this code
is old and I don't want to change it for existing code now.

Signed-off-by: Spencer Schrock <[email protected]>

* ignore existing nilerr lints.

This behavior is from the initial commit, and primarily affects metrics.
Leaving as is, and hope to benefit from the linter in the future.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: use forbidigo linter to prevent print statements (#3585)

* enable forbidigo for print statements.

include reasoning as message exposed to developer.

Signed-off-by: Spencer Schrock <[email protected]>

* remove or grant exceptions for existing print statements

Signed-off-by: Spencer Schrock <[email protected]>

* swap stdout to stderr

Signed-off-by: Spencer Schrock <[email protected]>

* separate msg from regex for better readability.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :bug: scanning gitlab private repositories (#3596)

* fix: Run for gitlab private repos

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: gitlab repo is accessible

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: linter error

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.93.1 to 0.93.2 (#3593)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.1 to 0.93.2.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.1...v0.93.2)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/onsi/gomega from 1.28.0 to 1.28.1 (#3597)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: add style linters: mirror, tenv, usestdlibvars (#3586)

* fix tenv linter and bug with t.Parallel

Signed-off-by: Spencer Schrock <[email protected]>

* fix usestdlibvars linter

Signed-off-by: Spencer Schrock <[email protected]>

* fix mirror linter

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: enable gomoddirectives linter. (#3584)

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: enable style linter `errname` (#3587)

* enable errname linter

Signed-off-by: Spencer Schrock <[email protected]>

* convert publish err to custom error type.

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused exported error.

Signed-off-by: Spencer Schrock <[email protected]>

* convert unsupported exporter type to custom error type.

Signed-off-by: Spencer Schrock <[email protected]>

* exempt public errors from linter.

Signed-off-by: Spencer Schrock <[email protected]>

* exempt cron config errors from linter.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: remove unused osv helper tool. (#3572)

This is a followup cleanup of d4b44e52eb9a104949f617a62cf47291d1ea2d99 (#2303).

Signed-off-by: Spencer Schrock <[email protected]>

* :seedling: Bump github.com/golangci/golangci-lint in /tools (#3592)

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.54.2 to 1.55.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: GitLab: track coverage for gitlab e2e tests (#3601)

Signed-off-by: Raghav Kaul <[email protected]>

* :seedling: Add license probe (#3465)

* :seedling: Add license probe

Signed-off-by: AdamKorcz <[email protected]>

* [WIP] add two remaining license checks as probes

Signed-off-by: AdamKorcz <[email protected]>

* fix nits

Signed-off-by: AdamKorcz <[email protected]>

* Use Errorf in test

Signed-off-by: AdamKorcz <[email protected]>

* use zrunner

Signed-off-by: AdamKorcz <[email protected]>

* fix wrong return value

Signed-off-by: AdamKorcz <[email protected]>

* fix linting issues and remove empty default

Signed-off-by: AdamKorcz <[email protected]>

* fix double if statement

Signed-off-by: AdamKorcz <[email protected]>

* Remove struct field from test

Signed-off-by: AdamKorcz <[email protected]>

* Add test for nil-case of license files slice

Signed-off-by: AdamKorcz <[email protected]>

* rewrite multiple def.ymls

Signed-off-by: AdamKorcz <[email protected]>

* fix nits

Signed-off-by: AdamKorcz <[email protected]>

* Add unit test with multiple unapproved license files

Signed-off-by: AdamKorcz <[email protected]>

* Add link to approved license formats

Signed-off-by: AdamKorcz <[email protected]>

* fix linting

Signed-off-by: AdamKorcz <[email protected]>

* remove comment

Signed-off-by: AdamKorcz <[email protected]>

* preserve logging from original check

Signed-off-by: AdamKorcz <[email protected]>

* fix typo

Signed-off-by: AdamKorcz <[email protected]>

* remove redundant map manipulation

Signed-off-by: AdamKorcz <[email protected]>

* rename hasApproveLicense probe

Signed-off-by: AdamKorcz <[email protected]>

* Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license

Signed-off-by: AdamKorcz <[email protected]>

* Include license file locations in log

Signed-off-by: AdamKorcz <[email protected]>

* fix linting issues

Signed-off-by: AdamKorcz <[email protected]>

* replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe

Signed-off-by: AdamKorcz <[email protected]>

* Fix linter issue

Signed-off-by: AdamKorcz <[email protected]>

* Include location of found license files

Signed-off-by: AdamKorcz <[email protected]>

---------

Signed-off-by: AdamKorcz <[email protected]>

* 🌱 convert packaging check to probe (#3486)

* :seedling: convert packaging check to probe

Signed-off-by: AdamKorcz <[email protected]>

* amend text in def.yml

Signed-off-by: AdamKorcz <[email protected]>

* Correct short description in def.yml

Signed-off-by: AdamKorcz <[email protected]>

* log negative findings

Signed-off-by: AdamKorcz <[email protected]>

* rename probe

Signed-off-by: AdamKorcz <[email protected]>

* Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements

Signed-off-by: AdamKorcz <[email protected]>

* change score text

Signed-off-by: AdamKorcz <[email protected]>

* include file details. process all packaging workflows

Signed-off-by: AdamKorcz <[email protected]>

---------

Signed-off-by: AdamKorcz <[email protected]>

* :seedling: Add probe support for contributors metrics (#3460)

* :seedling: Add probe support for cont…

Author: 38 people

.codecov.yml

@@ -23,16 +23,15 @@ coverage:
   status:
     project:
       default:
-        enabled: true
-        # allowed to drop coverage and still result in a "success" commit status
-        threshold: null
+        informational: true
         if_not_found: success
         if_no_uploads: success
         if_ci_failed: error
     patch:
       default:
-        enabled: true
-        threshold: 90%
+        # patch coverage should be within 10% of existing coverage
+        target: auto
+        threshold: 10%
         if_not_found: success
         if_no_uploads: success
         if_ci_failed: error

.github/CODEOWNERS

@@ -4,12 +4,8 @@
 # the repo. Unless a later match takes precedence,
 # the following users/teams will be requested for
 # review when someone opens a pull request.
-# TODO(owners): For ease of management, this should eventually shift to a
-#               defined GitHub team instead of individual usernames
-* @azeemshaikh38 @justaugustus @laurentsimon @naveensrinivasan @spencerschrock @raghavkaul
+* @ossf/scorecard-maintainers
 
 # Docs
-# TODO(owners): For ease of management, this should eventually shift to a
-#               defined GitHub team instead of individual usernames
-*.md @olivekl
-/docs/ @olivekl
+*.md @ossf/scorecard-doc-maintainers
+/docs/ @ossf/scorecard-doc-maintainers

.github/dependabot.yml

@@ -19,10 +19,19 @@ updates:
 - package-ecosystem: "github-actions"
   directory: "/"
   schedule:
-      interval: "daily"
+      interval: "weekly"
   rebase-strategy: disabled
   commit-message:
       prefix: ":seedling:"
+  groups:
+    github-actions:
+      patterns:
+        - "*"
+      # These actions directly influence the build process and are excluded from grouped updates
+      exclude-patterns:
+        - "actions/setup-go"
+        - "arduino/setup-protoc"
+        - "goreleaser/goreleaser-action"
 - package-ecosystem: docker
   directory: "/"
   schedule:
@@ -74,3 +83,10 @@ updates:
   rebase-strategy: disabled
   commit-message:
       prefix: ":seedling:"
+- package-ecosystem: docker
+  directory: "/attestor"
+  schedule:
+    interval: weekly
+  rebase-strategy: disabled
+  commit-message:
+      prefix: ":seedling:"

.github/workflows/codeql-analysis.yml

@@ -36,6 +36,9 @@ on:
 permissions:
   contents: read
 
+env:
+  GO_VERSION: 1.21
+
 jobs:
   analyze:
     permissions:
@@ -52,12 +55,21 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v1
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Checkout repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v2.3.4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    # don't use the default version of Go from GitHub runners
+    # https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
+    - name: Setup Go
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version: ${{ env.GO_VERSION }}
+        check-latest: true
+        cache: false # CodeQL needs to build everything itself to do its analysis
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/depsreview.yml

@@ -22,6 +22,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1
+        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0

.github/workflows/docker.yml

@@ -23,9 +23,7 @@ on:
   - main
 
 env:
-  PROTOC_VERSION: 3.17.3
-  GO_VERSION_FILE: go.mod # no good way of getting a mutual version between go.mod and tools/go.mod
-  CACHE_DEPENDENCY_PATH: "**/go.sum" # include both go.sum and tools/go.sum
+  GO_VERSION: 1.21
 
 jobs:
   docs_only_check:
@@ -37,225 +35,54 @@ jobs:
       docs_only: ${{ steps.docs_only_check.outputs.docs_only }}
     steps:
     - name: Check out code
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
       with:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@ec1e14cf27f4585783f463070881b2c499349a8a #v37.0.3
+      uses: tj-actions/changed-files@90a06d6ba9543371ab4df8eeca0be07ca6054959 #v42.0.2
       with:
         files_ignore: '**.md'
     - id: docs_only_check
       if: steps.files.outputs.any_changed != 'true'
       name: Check for docs-only changes
       run: echo "docs_only=true" >> $GITHUB_OUTPUT
 
-  scorecard:
-    name: scorecard-docker
+  docker_matrix:
+    strategy:
+      matrix:
+        target:
+          - 'scorecard-docker'
+          - 'cron-controller-docker'
+          - 'cron-worker-docker'
+          - 'cron-cii-worker-docker'
+          - 'cron-bq-transfer-docker'
+          - 'cron-webhook-docker'
+          - 'cron-github-server-docker'
+          - 'build-attestor-docker'
+    name: ${{ matrix.target }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
-    needs:
-      - docs_only_check
-    if: (needs.docs_only_check.outputs.docs_only != 'true')
+    needs: docs_only_check
+    # ideally we put one "if" here, but due to how skipped matrix jobs work, we need one for each step
+    # https://github.com/orgs/community/discussions/9141
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       if: (needs.docs_only_check.outputs.docs_only != 'true')
+       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-     - name: Install Protoc
-       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-       with:
-        version: ${{ env.PROTOC_VERSION }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-     - name: Clone the code
-       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-     - name: Setup Go
-       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
-       with:
-         go-version-file: ${{ env.GO_VERSION_FILE }}
-         check-latest: true
-         cache: true
-         cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
-     - name: docker build
-       run: make scorecard-docker
-  cron-controller:
-    name: cron-controller-docker
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs:
-      - docs_only_check
-    if: (needs.docs_only_check.outputs.docs_only != 'true')
-    steps:
-     - name: Harden Runner
-       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
-       with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-     - name: Install Protoc
-       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-       with:
-        version: ${{ env.PROTOC_VERSION }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-     - name: Clone the code
-       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-     - name: Setup Go
-       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
-       with:
-         go-version-file: ${{ env.GO_VERSION_FILE }}
-         check-latest: true
-         cache: true
-         cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
-     - name: docker build
-       run: make cron-controller-docker
-  cron-worker:
-    name: cron-worker-docker
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs:
-      - docs_only_check
-    if: (needs.docs_only_check.outputs.docs_only != 'true')
-    steps:
-     - name: Harden Runner
-       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
-       with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-     - name: Install Protoc
-       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-       with:
-        version: ${{ env.PROTOC_VERSION }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-     - name: Clone the code
-       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-     - name: Setup Go
-       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
-       with:
-         go-version-file: ${{ env.GO_VERSION_FILE }}
-         check-latest: true
-         cache: true
-         cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
-     - name: docker build
-       run: make cron-worker-docker
-  cron-cii-worker:
-    name: cron-cii--worker-docker
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs:
-      - docs_only_check
-    if: (needs.docs_only_check.outputs.docs_only != 'true')
-    steps:
-     - name: Harden Runner
-       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
-       with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-     - name: Install Protoc
-       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-       with:
-        version: ${{ env.PROTOC_VERSION }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-     - name: Clone the code
-       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-     - name: Setup Go
-       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
-       with:
-         go-version-file: ${{ env.GO_VERSION_FILE }}
-         check-latest: true
-         cache: true
-         cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
-     - name: docker build
-       run: make cron-cii-worker-docker
-  cron-bq-transfer:
-    name: cron-bq-transfer-docker
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs:
-      - docs_only_check
-    if: (needs.docs_only_check.outputs.docs_only != 'true')
-    steps:
-     - name: Harden Runner
-       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
-       with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-     - name: Install Protoc
-       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-       with:
-        version: ${{ env.PROTOC_VERSION }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-     - name: Clone the code
-       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-     - name: Setup Go
-       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
-       with:
-         go-version-file: ${{ env.GO_VERSION_FILE }}
-         check-latest: true
-         cache: true
-         cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
-     - name: docker build
-       run: make cron-bq-transfer-docker
-  cron-webhook:
-    name: cron-webhook-docker
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs:
-      - docs_only_check
-    if: (needs.docs_only_check.outputs.docs_only != 'true')
-    steps:
-     - name: Harden Runner
-       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
-       with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-     - name: Install Protoc
-       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-       with:
-        version: ${{ env.PROTOC_VERSION }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-     - name: Clone the code
-       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-     - name: Setup Go
-       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
-       with:
-         go-version-file: ${{ env.GO_VERSION_FILE }}
-         check-latest: true
-         cache: true
-         cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
-     - name: docker build
-       run: make cron-webhook-docker
-  cron-github-server:
-    name: cron-github-server-docker
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs:
-      - docs_only_check
-    if: (needs.docs_only_check.outputs.docs_only != 'true')
-    steps:
-     - name: Harden Runner
-       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
-       with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-     - name: Install Protoc
-       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-       with:
-        version: ${{ env.PROTOC_VERSION }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Clone the code
-       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-     - name: Setup Go
-       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       if: (needs.docs_only_check.outputs.docs_only != 'true')
+       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+     - name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker 
+       if: (needs.docs_only_check.outputs.docs_only != 'true')
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
-         go-version-file: ${{ env.GO_VERSION_FILE }}
+         go-version: ${{ env.GO_VERSION }}
          check-latest: true
-         cache: true
+         cache: false # the building happens in Docker, so saving this cache would negatively impact other builds
      - name: docker build
-       run: make cron-github-server-docker
+       if: (needs.docs_only_check.outputs.docs_only != 'true')
+       run: make ${{ matrix.target }}