✨ GitLab: Security Policy check #2754
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Raghav Kaul <[email protected]>
raghavkaul
requested review from
azeemshaikh38,
justaugustus,
laurentsimon,
naveensrinivasan and
spencerschrock
as code owners
raghavkaul
changed the title
raghavkaul
had a problem deploying
to
integration-test
GitHub Actions
Failure
Signed-off-by: Raghav Kaul <[email protected]>
raghavkaul
force-pushed
the
gitlab-checks-securitypolicy
branch
from
0fd1731 to
d3d85c4
Compare
raghavkaul
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2754 +/- ##
==========================================
- Coverage 49.51% 49.21% -0.30%
==========================================
Files 157 158 +1
Lines 11795 11962 +167
==========================================
+ Hits 5840 5887 +47
- Misses 5601 5706 +105
- Partials 354 369 +15 |
azeemshaikh38
approved these changes
Mar 15, 2023
azeemshaikh38
approved these changes
Mar 15, 2023
Signed-off-by: Raghav Kaul <[email protected]>
raghavkaul
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Signed-off-by: Raghav Kaul <[email protected]>
raghavkaul
temporarily deployed
to
integration-test
GitHub Actions
Inactive
|
I'd argue changing an interface is a breaking change. |
That's fair. Maybe remove all occurences of |
that works for Org in the Repo interface. But RepoClient had a method added which is also a breaking change. |
|
in terms of breaking changes, if the only breakage is Allstar (who has a mock client that would need to stub the new method), it's probably safe to do if we give Allstar a heads up. And it's a small enough that we could send the update PR |
Can Allstar use Scorecard's mock client - https://github.com/ossf/scorecard/blob/main/clients/mockclients/repo_client.go ? |
|
Thanks Spencer for pointing that out, I wasn't previously aware that people relied on Scorecard's interfaces. I gave a heads up to the Allstar maintainer and they said that they are aware of breakages and will upgrade manually. |
raghavkaul
had a problem deploying
to
integration-test
GitHub Actions
Failure
Signed-off-by: Raghav Kaul <[email protected]>
raghavkaul
temporarily deployed
to
integration-test
GitHub Actions
Inactive
raghavkaul
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
pushed a commit
to balteravishay/scorecard
that referenced
this pull request
Mar 22, 2023
* Add tarballHandler for GitLab, enabling repo download Signed-off-by: Raghav Kaul <[email protected]> * Abstract OrgSecurityPolicy details to RepoClient instead of checker Signed-off-by: Raghav Kaul <[email protected]> * Remove Org() from RepoClient Signed-off-by: Raghav Kaul <[email protected]> * Rename Signed-off-by: Raghav Kaul <[email protected]> * Don't run as part of CI tests that depend on external sites Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Avishay <[email protected]>
balteravishay
pushed a commit
to balteravishay/scorecard
that referenced
this pull request
Apr 13, 2023
* Add tarballHandler for GitLab, enabling repo download Signed-off-by: Raghav Kaul <[email protected]> * Abstract OrgSecurityPolicy details to RepoClient instead of checker Signed-off-by: Raghav Kaul <[email protected]> * Remove Org() from RepoClient Signed-off-by: Raghav Kaul <[email protected]> * Rename Signed-off-by: Raghav Kaul <[email protected]> * Don't run as part of CI tests that depend on external sites Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Avishay <[email protected]>
balteravishay
pushed a commit
to balteravishay/scorecard
that referenced
this pull request
Apr 14, 2023
* Add tarballHandler for GitLab, enabling repo download Signed-off-by: Raghav Kaul <[email protected]> * Abstract OrgSecurityPolicy details to RepoClient instead of checker Signed-off-by: Raghav Kaul <[email protected]> * Remove Org() from RepoClient Signed-off-by: Raghav Kaul <[email protected]> * Rename Signed-off-by: Raghav Kaul <[email protected]> * Don't run as part of CI tests that depend on external sites Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Avishay <[email protected]>
laurentsimon
added a commit
that referenced
this pull request
Apr 17, 2023
…dency checks (#2779) * add nuget pinned dependency checks Signed-off-by: Avishay <[email protected]> * checks.yaml Signed-off-by: Avishay <[email protected]> * ✨ GitLab: Security Policy check (#2754) * Add tarballHandler for GitLab, enabling repo download Signed-off-by: Raghav Kaul <[email protected]> * Abstract OrgSecurityPolicy details to RepoClient instead of checker Signed-off-by: Raghav Kaul <[email protected]> * Remove Org() from RepoClient Signed-off-by: Raghav Kaul <[email protected]> * Rename Signed-off-by: Raghav Kaul <[email protected]> * Don't run as part of CI tests that depend on external sites Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump gocloud.dev from 0.26.0 to 0.29.0 (#2722) * 🌱 Bump gocloud.dev from 0.26.0 to 0.29.0 Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.26.0 to 0.29.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.26.0...v0.29.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Switch pubsubpb import path. See https://github.com/googleapis/google-cloud-go/blob/cf7063dc4d81c2c33e31724db518c24d8a344f6e/migration.md for more details. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github/codeql-action from 2.2.6 to 2.2.7 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.6 to 2.2.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@16964e9...168b99b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * Remove unused code from changeset creation (#2776) Signed-off-by: Azeem Shaikh <[email protected]> Signed-off-by: Avishay <[email protected]> * 🐛 Pass proper commit depth to github checkrun handler. (#2777) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * pr fixes Signed-off-by: Avishay <[email protected]> * ✨ Support for GitHub's internal integration (#2773) * update Signed-off-by: laurentsimon <[email protected]> * update Signed-off-by: laurentsimon <[email protected]> * update Signed-off-by: laurentsimon <[email protected]> * update Signed-off-by: laurentsimon <[email protected]> * update Signed-off-by: laurentsimon <[email protected]> * update Signed-off-by: laurentsimon <[email protected]> --------- Signed-off-by: laurentsimon <[email protected]> Signed-off-by: Avishay <[email protected]> * 🐛 Add tie breaker when sorting changesets by RevisionID in tests. (#2781) * Remove duplicate RevisionID collision from changeset tests. The map iteration order isn't deterministic and sorting the slices isn't good enough when the revision IDs are equal. Signed-off-by: Spencer Schrock <[email protected]> * remove any potential sha collisions Signed-off-by: Spencer Schrock <[email protected]> * Revert deduplications. Signed-off-by: Spencer Schrock <[email protected]> * Use ReviewPlatform as tie breaker. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 enable fuzzing check in cron. (#2780) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump tj-actions/changed-files from 35.7.0 to 35.7.6 (#2782) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.7.0 to 35.7.6. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@bd376fb...07f86bc) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump actions/checkout from 3.3.0 to 3.4.0 (#2767) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@ac59398...24cb908) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump golangci-lint and fix configuration file. (#2783) * Bump golangci-lint to v1.52.1 Signed-off-by: Spencer Schrock <[email protected]> * Remove deprecated linters. Signed-off-by: Spencer Schrock <[email protected]> * Configure errorlint to ignore wrapping multiple errors. We don't use golang 1.20 yet. Signed-off-by: Spencer Schrock <[email protected]> * extra go mod tidy to hide linter. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.2 in /tools (#2787) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.0 to 2.9.2. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.9.0...v2.9.2) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github/codeql-action from 2.2.7 to 2.2.8 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.7 to 2.2.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@168b99b...67a35a0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#2785) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@c090f4e...f46c48e) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🐛 Restore upload of existing raw result Big Query data (#2795) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump tj-actions/changed-files from 35.7.6 to 35.7.7 (#2797) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.7.6 to 35.7.7. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@07f86bc...db5dd7c) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Restore API quota metrics for the weekly cron job. (#2799) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/golangci/golangci-lint in /tools (#2794) Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.52.1 to 1.52.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.52.1...v1.52.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump google.golang.org/protobuf in /tools (#2759) Signed-off-by: Avishay <[email protected]> * 🌱 Bump golang.org/x/tools from 0.6.0 to 0.7.0 (#2769) Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/xanzy/go-gitlab from 0.78.0 to 0.81.0 (#2737) * 🌱 Bump github.com/xanzy/go-gitlab from 0.78.0 to 0.81.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.78.0 to 0.81.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.78.0...v0.81.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump google.golang.org/protobuf to v1.30.0 to satisfy dependency analysis. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump actions/stale from 6.0.1 to 8.0.0 (#2793) Bumps [actions/stale](https://github.com/actions/stale) from 6.0.1 to 8.0.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@5ebf00e...1160a22) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump actions/setup-go from 3.5.0 to 4.0.0 (#2757) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.5.0 to 4.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@6edd440...4d34df0) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#2628) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@8f67e59...f82d6c1) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/google/osv-scanner (#2803) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.2.1-0.20230302232134-592acbc2539b to 1.3.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (#2805) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.1.0...v2.2.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump cloud.google.com/go/pubsub from 1.28.0 to 1.30.0 (#2804) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.28.0 to 1.30.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.28.0...pubsub/v1.30.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2770) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.14.1 to 1.16.2. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.14.1...v1.16.2) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump actions/checkout from 3.4.0 to 3.5.0 (#2800) Signed-off-by: Avishay <[email protected]> * 🌱 Bump github/codeql-action from 2.2.8 to 2.2.9 (#2802) Signed-off-by: Avishay <[email protected]> * 🌱 Bump tj-actions/changed-files from 35.7.7 to 35.7.8 (#2801) Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#2809) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.4 to 0.11.5. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.11.4...v0.11.5) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#2806) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@e38b190...80e868c) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/google/osv-scanner from 1.3.0 to 1.3.1 (#2810) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.27.0 to 1.27.6 (#2807) Signed-off-by: Avishay <[email protected]> * 🌱 Bump cloud.google.com/go/bigquery from 1.48.0 to 1.49.0 Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.48.0 to 1.49.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.48.0...bigquery/v1.49.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/go-logr/logr from 1.2.3 to 1.2.4 (#2813) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.3...v1.2.4) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump cloud.google.com/go/bigquery from 1.49.0 to 1.50.0 (#2818) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.49.0 to 1.50.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.49.0...bigquery/v1.50.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump step-security/harden-runner from 2.2.1 to 2.3.0 (#2823) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.2.1 to 2.3.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@1f99358...03bee39) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/docker/docker in /tools (#2825) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.1+incompatible to 23.0.3+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v23.0.1...v23.0.3) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github/codeql-action from 2.2.9 to 2.2.11 (#2836) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.9 to 2.2.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@04df126...d186a2a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump tj-actions/changed-files from 35.7.8 to 35.7.12 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.7.8 to 35.7.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@e9b5807...b109d83) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 (#2842) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@c3667d9...9e9de22) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/xeipuuv/gojsonschema Bumps [github.com/xeipuuv/gojsonschema](https://github.com/xeipuuv/gojsonschema) from 0.0.0-20180618132009-1d523034197f to 1.2.0. - [Release notes](https://github.com/xeipuuv/gojsonschema/releases) - [Commits](https://github.com/xeipuuv/gojsonschema/commits/v1.2.0) --- updated-dependencies: - dependency-name: github.com/xeipuuv/gojsonschema dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Unit tests for checker result and request (#2844) Included tests for checker result and request Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Avishay <[email protected]> * ✨ Consider haskell-actions/hlint-scan a code scanning action (#2846) * Add haskell-actions/hlint-scan as one of know GitHub actions which upload SARIF. Signed-off-by: Yoo Chung <[email protected]> * Test security-events permissions with actions known to upload SARIF. Signed-off-by: Yoo Chung <[email protected]> --------- Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (#2847) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/otiai10/copy from 1.9.0 to 1.10.0 Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](otiai10/copy@v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/goreleaser/goreleaser in /tools Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.16.2 to 1.17.0. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.16.2...v1.17.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Add instructions to test cron controller + worker locally (#2817) * Add GitLab test repos. Signed-off-by: Spencer Schrock <[email protected]> * Add test GitLab projects to release controller. Signed-off-by: Spencer Schrock <[email protected]> * worker gitlab WIP Signed-off-by: Spencer Schrock <[email protected]> * Read config in worker. Signed-off-by: Spencer Schrock <[email protected]> * Use UTC time for shards. This avoids issues when the controller and worker timezones differ. Signed-off-by: Spencer Schrock <[email protected]> * update directions for gcs fake Signed-off-by: Spencer Schrock <[email protected]> * update readme Signed-off-by: Spencer Schrock <[email protected]> * Undo gitlab parts, which will be its own PR. Signed-off-by: Spencer Schrock <[email protected]> * Clarify project and config files are placeholders. Signed-off-by: Spencer Schrock <[email protected]> * remove accidentally added whitespace Signed-off-by: Spencer Schrock <[email protected]> * clarify code change with comment. Signed-off-by: Spencer Schrock <[email protected]> * Minor edits. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump golang.org/x/tools from 0.7.0 to 0.8.0 (#2855) Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]> * 🌱 Bump codecov/codecov-action from 3.1.0 to 3.1.2 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@81cd2dc...40a12dc) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * 📖 Fix broken links. (#2858) Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay <[email protected]> * ✨ Detect fuzzing in Haskell by the presence of property tests. (#2843) * Add Haskell as a language. Signed-off-by: Yoo Chung <[email protected]> * Detect fuzzing in Haskell using presence of property-based testing. Signed-off-by: Yoo Chung <[email protected]> * Mention fuzzing detection for Haskell in documentation. Signed-off-by: Yoo Chung <[email protected]> * Fix pattern and test. Add test case. Signed-off-by: Yoo Chung <[email protected]> --------- Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Unit tests for attestor policy (#2857) - Add tests for `GetRequiredChecksForPolicy` and `EvaluateResults` - Add checks for binary artifacts, vulnerabilities, unpinned dependencies, and code review [attestor/policy/attestation_policy_test.go] - Add `github.com/google/go-cmp/cmp` to imports - Add a test for `GetRequiredChecksForPolicy` - Add a test for `EvaluateResults` Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Avishay <[email protected]> * 🌱 Bump github.com/xanzy/go-gitlab from 0.81.0 to 0.82.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.81.0 to 0.82.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.81.0...v0.82.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]> * ✨ Use local files instead of search for SAST CodeQL check (#2839) * Look for codeQL action use with local files instead of search. Signed-off-by: Spencer Schrock <[email protected]> * Switch SAST mocks to using local file contents. Signed-off-by: Spencer Schrock <[email protected]> * Update e2e test Signed-off-by: Spencer Schrock <[email protected]> * Remove unneeded code. The tests deleted here were merged with another test in an earlier commit. Signed-off-by: Spencer Schrock <[email protected]> * update Signed-off-by: Spencer Schrock <[email protected]> * Add tests to get code coverage up. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]> * .exe Signed-off-by: Avishay <[email protected]> * lint Signed-off-by: Avishay <[email protected]> * pr comments Signed-off-by: Avishay <[email protected]> --------- Signed-off-by: Avishay <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Azeem Shaikh <[email protected]> Signed-off-by: laurentsimon <[email protected]> Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay Balter <[email protected]> Co-authored-by: raghavkaul <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]> Co-authored-by: Azeem Shaikh <[email protected]> Co-authored-by: laurentsimon <[email protected]> Co-authored-by: Naveen <[email protected]> Co-authored-by: Yoo Chung <[email protected]> Co-authored-by: Yoo Chung <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Adds GitLab support for the Security-Policy check. Also changes
Repo.Org()to align better with its named meaning.What is the new behavior (if this is a feature change)?**
Checks for Security policy file in the repo. Doesn't attempt to check for Org-level security policy (no equivalent to
.githubfolder in GitLab).GetOrganizationSecurityPolicyis exposed as a method of RepoClient.Does this PR introduce a user-facing change?