🌱 Bump github.com/goreleaser/goreleaser from 1.11.5 to 1.12.3 in /tools #2373

dependabot · 2022-10-20T14:21:36Z

Bumps github.com/goreleaser/goreleaser from 1.11.5 to 1.12.3.

Release notes

Sourced from github.com/goreleaser/goreleaser's releases.

v1.12.3

Changelog

This tag is only to keep version parity with the pro version, which does have a couple of bugfixes.

Full Changelog: goreleaser/goreleaser@v1.12.2...v1.12.3

What to do next?

Read the documentation

Check out the GoReleaser Pro distribution

Join our Discord server

Follow us on Twitter

v1.12.2

Changelog

Bug fixes

97ba9a7a394b1f05495722270c824c154ae44328: fix: licenses (@caarlos0)

eb9ad29d27ac718e27d3b89de208ebca1c333873: fix: unknown revision when installing with go install (@caarlos0)

Dependency updates

afdb8e7a49576cc74a21bbcdd0956438ff9b104f: fix(deps): update to go-github v48 (#3475) (@caarlos0)

Full Changelog: goreleaser/goreleaser@v1.12.1...v1.12.2

What to do next?

Read the documentation

Check out the GoReleaser Pro distribution

Join our Discord server

Follow us on Twitter

v1.12.1

Changelog

Bug fixes

f90df0f5ece7c239817f51b46df5b8b63fcf1f3a: fix: getting previous tag (@caarlos0)

Full Changelog: goreleaser/goreleaser@v1.12.0...v1.12.1

What to do next?

Read the documentation

Check out the GoReleaser Pro distribution

Join our Discord server

Follow us on Twitter

v1.12.0

... (truncated)

Commits

e27e6a9 chore: no changes
5df96cb chore: trigger docs
75effef fix: unknown revision when installing with go install (#3482)
097baac chore(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#3477)
a94d809 chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1 (#3478)
7b1ce71 chore(deps): bump github/codeql-action from 2.1.27 to 2.1.28 (#3479)
97e9bc4 chore(deps): bump docker/setup-buildx-action from 2.2.0 to 2.2.1 (#3480)
afdb8e7 fix(deps): update to go-github v48 (#3475)
903713e chore(deps): bump docker/setup-buildx-action from 2.1.0 to 2.2.0 (#3474)
f90df0f fix: getting previous tag
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

codecov · 2022-10-20T14:59:51Z

Codecov Report

Merging #2373 (fad5797) into main (a45b506) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2373   +/-   ##
=======================================
  Coverage   40.61%   40.61%           
=======================================
  Files         112      112           
  Lines        8831     8831           
=======================================
  Hits         3587     3587           
  Misses       4984     4984           
  Partials      260      260

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2022-10-31T08:43:18Z

Integration tests success for
[fad5797]
(https://github.com/ossf/scorecard/actions/runs/3359735397)

dependabot · 2022-10-31T12:47:21Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@9c96258...0efb1d1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * commit_depth feature Signed-off-by: latortuga71 <[email protected]> * added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function. small changes Signed-off-by: latortuga71 <[email protected]> linter Signed-off-by: latortuga71 <[email protected]> * added unit tests Signed-off-by: latortuga71 <[email protected]> added test in e2e Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0 Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.20.2...v1.23.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@b953231...b508e2e) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2373) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * ✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * fix workflow (#2417) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Bump scorecard-action (#2416) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Fail unit-test job if codecov upload fails (#2415) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Enable comparison for alternative isText implementation (#2414) * use more performant IsText Signed-off-by: Spencer Schrock <[email protected]> * AB test isText implementations Signed-off-by: Spencer Schrock <[email protected]> * Add comparison env var to release test. Signed-off-by: Spencer Schrock <[email protected]> * go mod tidy for attestor Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🐛 modify alternative isText to accept carriage returns (#2421) * modify IsText from golang.org/x/tools/godoc/util to accept carriage returns. Signed-off-by: Spencer Schrock <[email protected]> * add TODO reminder to cleanup after release tests Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.23.0...v1.24.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ec3cf9c...18fe527) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * revert failing unit-test on ci error (#2422) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * ✨ Improved Security Policy Check (#2195) * ✨ Improved Security Policy Check (#2137) * Examines and awards points for linked content (URLs / Emails) * Examines and awards points for hints of disclosure and vulnerability practices * Examines and awards points for hints of elaboration of timelines Signed-off-by: Scott Hissam <[email protected]> * Repaired Security Policy to correctly use linked content length for evaluation Signed-off-by: Scott Hissam <[email protected]> * gofmt'ed changes Signed-off-by: Scott Hissam <[email protected]> * Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails Signed-off-by: Scott Hissam <[email protected]> * added unit test cases for the new content-based Security Policy checks Signed-off-by: Scott Hissam <[email protected]> * reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs Signed-off-by: Scott Hissam <[email protected]> * ✨ Improved Security Policy Check (#2137) (revisted based on comments) * replaced reason strings with log.Info & log.Warn (as seen in --show-details) * internal assertion check for nil (*pinfo) and empty pfile * internal switched to FileTypeText over FileTypeSource * internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file * revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflict with checks.yaml Signed-off-by: Scott Hissam <[email protected]> * updated raw results to emit all the raw information for the new security policy check Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflicts and lint errors with json_raw_results.go Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files. Signed-off-by: Scott Hissam <[email protected]> * Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo Signed-off-by: Scott Hissam <[email protected]> * added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment Signed-off-by: Scott Hissam <[email protected]> * restored reporting full security policy path and filename for policies found in the org level repos Signed-off-by: Scott Hissam <[email protected]> * Resolved conflicts in checks.yaml for documentation Signed-off-by: Scott Hissam <[email protected]> * ✨ CLI for scorecard-attestor (#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Scott Hissam <[email protected]> * removed whitespace before stanza for Run attestor e2e Signed-off-by: Scott Hissam <[email protected]> * resolved code review and doc review comments Signed-off-by: Scott Hissam <[email protected]> * repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@18fe527...c3b6fce) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * enable more performant isText (#2433) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface Signed-off-by: latortuga71 <[email protected]> * removed getcommitdepth function Signed-off-by: latortuga71 <[email protected]> * added TODO Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Code Review: treat merging a PR as code review (#2413) * Merges on Github count as a code review by the maintainer Signed-off-by: Raghav Kaul <[email protected]> * Update Raw Results * More detailed information for Changesets * If there's no Revision ID, use the Commit SHA instead Signed-off-by: Raghav Kaul <[email protected]> * Check that pull request had atleast one reviewer that wasn't its author * Add field for Pull Request Merged-By to Github and Gitlab * Note, this check can be bypassed if an author opens a PR with other people's commits Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Trivial: Fix typo (exepted -> expected) (#2440) Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@2e205a2...ebacdc2) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: support reading prefix from file for controller input files (7/n) (#2445) * add prefix marker file to config Signed-off-by: Spencer Schrock <[email protected]> * Read the new config values, if they exist. Signed-off-by: Spencer Schrock <[email protected]> * Add function to fetch prefix file config value. Signed-off-by: Spencer Schrock <[email protected]> * Read prefix file if prefix not set. Signed-off-by: Spencer Schrock <[email protected]> * Add tests to verify how List works with various prefixes Signed-off-by: Spencer Schrock <[email protected]> * Add tests for getPrefix Signed-off-by: Spencer Schrock <[email protected]> * Remove panics from iterator helper functions Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Detect SECURITY.markdown in addition to SECURITY.md (#2447) GitHub probably supports many more file extensions for Markdown files, but at the very least, `.md` and `.markdown` have been standardized in RFC 7763. Signed-off-by: favonia <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430) Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446) * Expose the stackdriver prefix as a config variable so it can be changed. Signed-off-by: Caleb Brown <[email protected]> * fix linter warning Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Only write to the rawBucket if the value exists. (#2451) Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448) * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * bump attestor modules Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Move cron monitoring to a non-internal location. (#2453) This allows external workers (e.g. criticality_score) to use the same monitoring code. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0efb1d1...30d5821) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454) * Generalize the transfer logic so it is easy to build new transfer agents This change moves code that reads shards and produces summaries into the data package so that it can be reused to create new transfer agents, similar to the BigQuery transfer agent in cron/internal/bq. Signed-off-by: Caleb Brown <[email protected]> * Lint fix and commentary. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/addlicense in /tools (#2459) Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/google/addlicense/releases) - [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml) - [Commits](google/addlicense@v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: github.com/google/addlicense dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/go-containerregistry Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * go mod tidy Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Added <= instead of == incase negative int is passed Signed-off-by: latortuga71 <[email protected]> * missed test fix Signed-off-by: latortuga71 <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Latortuga <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: raghavkaul <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Co-authored-by: scott hissam <[email protected]> Co-authored-by: Michael Scovetta <[email protected]> Co-authored-by: favonia <[email protected]> Co-authored-by: Caleb Brown <[email protected]>

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: nathaniel.wert <[email protected]>

* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@9c96258...0efb1d1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * commit_depth feature Signed-off-by: latortuga71 <[email protected]> * added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function. small changes Signed-off-by: latortuga71 <[email protected]> linter Signed-off-by: latortuga71 <[email protected]> * added unit tests Signed-off-by: latortuga71 <[email protected]> added test in e2e Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0 Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.20.2...v1.23.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@b953231...b508e2e) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * ✨ CLI for scorecard-attestor (ossf#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * fix workflow (ossf#2417) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Bump scorecard-action (ossf#2416) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Fail unit-test job if codecov upload fails (ossf#2415) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Enable comparison for alternative isText implementation (ossf#2414) * use more performant IsText Signed-off-by: Spencer Schrock <[email protected]> * AB test isText implementations Signed-off-by: Spencer Schrock <[email protected]> * Add comparison env var to release test. Signed-off-by: Spencer Schrock <[email protected]> * go mod tidy for attestor Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🐛 modify alternative isText to accept carriage returns (ossf#2421) * modify IsText from golang.org/x/tools/godoc/util to accept carriage returns. Signed-off-by: Spencer Schrock <[email protected]> * add TODO reminder to cleanup after release tests Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.23.0...v1.24.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ec3cf9c...18fe527) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * revert failing unit-test on ci error (ossf#2422) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * ✨ Improved Security Policy Check (ossf#2195) * ✨ Improved Security Policy Check (ossf#2137) * Examines and awards points for linked content (URLs / Emails) * Examines and awards points for hints of disclosure and vulnerability practices * Examines and awards points for hints of elaboration of timelines Signed-off-by: Scott Hissam <[email protected]> * Repaired Security Policy to correctly use linked content length for evaluation Signed-off-by: Scott Hissam <[email protected]> * gofmt'ed changes Signed-off-by: Scott Hissam <[email protected]> * Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails Signed-off-by: Scott Hissam <[email protected]> * added unit test cases for the new content-based Security Policy checks Signed-off-by: Scott Hissam <[email protected]> * reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs Signed-off-by: Scott Hissam <[email protected]> * ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments) * replaced reason strings with log.Info & log.Warn (as seen in --show-details) * internal assertion check for nil (*pinfo) and empty pfile * internal switched to FileTypeText over FileTypeSource * internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file * revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflict with checks.yaml Signed-off-by: Scott Hissam <[email protected]> * updated raw results to emit all the raw information for the new security policy check Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflicts and lint errors with json_raw_results.go Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files. Signed-off-by: Scott Hissam <[email protected]> * Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo Signed-off-by: Scott Hissam <[email protected]> * added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment Signed-off-by: Scott Hissam <[email protected]> * restored reporting full security policy path and filename for policies found in the org level repos Signed-off-by: Scott Hissam <[email protected]> * Resolved conflicts in checks.yaml for documentation Signed-off-by: Scott Hissam <[email protected]> * ✨ CLI for scorecard-attestor (ossf#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Scott Hissam <[email protected]> * removed whitespace before stanza for Run attestor e2e Signed-off-by: Scott Hissam <[email protected]> * resolved code review and doc review comments Signed-off-by: Scott Hissam <[email protected]> * repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@18fe527...c3b6fce) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * enable more performant isText (ossf#2433) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface Signed-off-by: latortuga71 <[email protected]> * removed getcommitdepth function Signed-off-by: latortuga71 <[email protected]> * added TODO Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Code Review: treat merging a PR as code review (ossf#2413) * Merges on Github count as a code review by the maintainer Signed-off-by: Raghav Kaul <[email protected]> * Update Raw Results * More detailed information for Changesets * If there's no Revision ID, use the Commit SHA instead Signed-off-by: Raghav Kaul <[email protected]> * Check that pull request had atleast one reviewer that wasn't its author * Add field for Pull Request Merged-By to Github and Gitlab * Note, this check can be bypassed if an author opens a PR with other people's commits Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Trivial: Fix typo (exepted -> expected) (ossf#2440) Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@2e205a2...ebacdc2) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445) * add prefix marker file to config Signed-off-by: Spencer Schrock <[email protected]> * Read the new config values, if they exist. Signed-off-by: Spencer Schrock <[email protected]> * Add function to fetch prefix file config value. Signed-off-by: Spencer Schrock <[email protected]> * Read prefix file if prefix not set. Signed-off-by: Spencer Schrock <[email protected]> * Add tests to verify how List works with various prefixes Signed-off-by: Spencer Schrock <[email protected]> * Add tests for getPrefix Signed-off-by: Spencer Schrock <[email protected]> * Remove panics from iterator helper functions Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447) GitHub probably supports many more file extensions for Markdown files, but at the very least, `.md` and `.markdown` have been standardized in RFC 7763. Signed-off-by: favonia <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430) Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446) * Expose the stackdriver prefix as a config variable so it can be changed. Signed-off-by: Caleb Brown <[email protected]> * fix linter warning Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Only write to the rawBucket if the value exists. (ossf#2451) Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448) * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * bump attestor modules Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Move cron monitoring to a non-internal location. (ossf#2453) This allows external workers (e.g. criticality_score) to use the same monitoring code. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0efb1d1...30d5821) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454) * Generalize the transfer logic so it is easy to build new transfer agents This change moves code that reads shards and produces summaries into the data package so that it can be reused to create new transfer agents, similar to the BigQuery transfer agent in cron/internal/bq. Signed-off-by: Caleb Brown <[email protected]> * Lint fix and commentary. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/addlicense in /tools (ossf#2459) Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/google/addlicense/releases) - [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml) - [Commits](google/addlicense@v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: github.com/google/addlicense dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/go-containerregistry Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * go mod tidy Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Added <= instead of == incase negative int is passed Signed-off-by: latortuga71 <[email protected]> * missed test fix Signed-off-by: latortuga71 <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Latortuga <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: raghavkaul <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Co-authored-by: scott hissam <[email protected]> Co-authored-by: Michael Scovetta <[email protected]> Co-authored-by: favonia <[email protected]> Co-authored-by: Caleb Brown <[email protected]>

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: nathaniel.wert <[email protected]>

* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@9c96258...0efb1d1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * commit_depth feature Signed-off-by: latortuga71 <[email protected]> * added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function. small changes Signed-off-by: latortuga71 <[email protected]> linter Signed-off-by: latortuga71 <[email protected]> * added unit tests Signed-off-by: latortuga71 <[email protected]> added test in e2e Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0 Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.20.2...v1.23.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@b953231...b508e2e) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * ✨ CLI for scorecard-attestor (ossf#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * fix workflow (ossf#2417) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Bump scorecard-action (ossf#2416) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Fail unit-test job if codecov upload fails (ossf#2415) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Enable comparison for alternative isText implementation (ossf#2414) * use more performant IsText Signed-off-by: Spencer Schrock <[email protected]> * AB test isText implementations Signed-off-by: Spencer Schrock <[email protected]> * Add comparison env var to release test. Signed-off-by: Spencer Schrock <[email protected]> * go mod tidy for attestor Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🐛 modify alternative isText to accept carriage returns (ossf#2421) * modify IsText from golang.org/x/tools/godoc/util to accept carriage returns. Signed-off-by: Spencer Schrock <[email protected]> * add TODO reminder to cleanup after release tests Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.23.0...v1.24.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ec3cf9c...18fe527) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * revert failing unit-test on ci error (ossf#2422) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * ✨ Improved Security Policy Check (ossf#2195) * ✨ Improved Security Policy Check (ossf#2137) * Examines and awards points for linked content (URLs / Emails) * Examines and awards points for hints of disclosure and vulnerability practices * Examines and awards points for hints of elaboration of timelines Signed-off-by: Scott Hissam <[email protected]> * Repaired Security Policy to correctly use linked content length for evaluation Signed-off-by: Scott Hissam <[email protected]> * gofmt'ed changes Signed-off-by: Scott Hissam <[email protected]> * Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails Signed-off-by: Scott Hissam <[email protected]> * added unit test cases for the new content-based Security Policy checks Signed-off-by: Scott Hissam <[email protected]> * reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs Signed-off-by: Scott Hissam <[email protected]> * ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments) * replaced reason strings with log.Info & log.Warn (as seen in --show-details) * internal assertion check for nil (*pinfo) and empty pfile * internal switched to FileTypeText over FileTypeSource * internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file * revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflict with checks.yaml Signed-off-by: Scott Hissam <[email protected]> * updated raw results to emit all the raw information for the new security policy check Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflicts and lint errors with json_raw_results.go Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files. Signed-off-by: Scott Hissam <[email protected]> * Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo Signed-off-by: Scott Hissam <[email protected]> * added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment Signed-off-by: Scott Hissam <[email protected]> * restored reporting full security policy path and filename for policies found in the org level repos Signed-off-by: Scott Hissam <[email protected]> * Resolved conflicts in checks.yaml for documentation Signed-off-by: Scott Hissam <[email protected]> * ✨ CLI for scorecard-attestor (ossf#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Scott Hissam <[email protected]> * removed whitespace before stanza for Run attestor e2e Signed-off-by: Scott Hissam <[email protected]> * resolved code review and doc review comments Signed-off-by: Scott Hissam <[email protected]> * repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@18fe527...c3b6fce) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * enable more performant isText (ossf#2433) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface Signed-off-by: latortuga71 <[email protected]> * removed getcommitdepth function Signed-off-by: latortuga71 <[email protected]> * added TODO Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Code Review: treat merging a PR as code review (ossf#2413) * Merges on Github count as a code review by the maintainer Signed-off-by: Raghav Kaul <[email protected]> * Update Raw Results * More detailed information for Changesets * If there's no Revision ID, use the Commit SHA instead Signed-off-by: Raghav Kaul <[email protected]> * Check that pull request had atleast one reviewer that wasn't its author * Add field for Pull Request Merged-By to Github and Gitlab * Note, this check can be bypassed if an author opens a PR with other people's commits Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Trivial: Fix typo (exepted -> expected) (ossf#2440) Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@2e205a2...ebacdc2) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445) * add prefix marker file to config Signed-off-by: Spencer Schrock <[email protected]> * Read the new config values, if they exist. Signed-off-by: Spencer Schrock <[email protected]> * Add function to fetch prefix file config value. Signed-off-by: Spencer Schrock <[email protected]> * Read prefix file if prefix not set. Signed-off-by: Spencer Schrock <[email protected]> * Add tests to verify how List works with various prefixes Signed-off-by: Spencer Schrock <[email protected]> * Add tests for getPrefix Signed-off-by: Spencer Schrock <[email protected]> * Remove panics from iterator helper functions Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447) GitHub probably supports many more file extensions for Markdown files, but at the very least, `.md` and `.markdown` have been standardized in RFC 7763. Signed-off-by: favonia <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430) Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446) * Expose the stackdriver prefix as a config variable so it can be changed. Signed-off-by: Caleb Brown <[email protected]> * fix linter warning Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Only write to the rawBucket if the value exists. (ossf#2451) Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448) * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * bump attestor modules Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Move cron monitoring to a non-internal location. (ossf#2453) This allows external workers (e.g. criticality_score) to use the same monitoring code. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0efb1d1...30d5821) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454) * Generalize the transfer logic so it is easy to build new transfer agents This change moves code that reads shards and produces summaries into the data package so that it can be reused to create new transfer agents, similar to the BigQuery transfer agent in cron/internal/bq. Signed-off-by: Caleb Brown <[email protected]> * Lint fix and commentary. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/addlicense in /tools (ossf#2459) Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/google/addlicense/releases) - [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml) - [Commits](google/addlicense@v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: github.com/google/addlicense dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/go-containerregistry Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * go mod tidy Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Added <= instead of == incase negative int is passed Signed-off-by: latortuga71 <[email protected]> * missed test fix Signed-off-by: latortuga71 <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Latortuga <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: raghavkaul <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Co-authored-by: scott hissam <[email protected]> Co-authored-by: Michael Scovetta <[email protected]> Co-authored-by: favonia <[email protected]> Co-authored-by: Caleb Brown <[email protected]> Signed-off-by: nathaniel.wert <[email protected]>

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@9c96258...0efb1d1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * commit_depth feature Signed-off-by: latortuga71 <[email protected]> * added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function. small changes Signed-off-by: latortuga71 <[email protected]> linter Signed-off-by: latortuga71 <[email protected]> * added unit tests Signed-off-by: latortuga71 <[email protected]> added test in e2e Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0 Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.20.2...v1.23.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.1.6...v2.4.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@b953231...b508e2e) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * ✨ CLI for scorecard-attestor (ossf#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * fix workflow (ossf#2417) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Bump scorecard-action (ossf#2416) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Fail unit-test job if codecov upload fails (ossf#2415) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Enable comparison for alternative isText implementation (ossf#2414) * use more performant IsText Signed-off-by: Spencer Schrock <[email protected]> * AB test isText implementations Signed-off-by: Spencer Schrock <[email protected]> * Add comparison env var to release test. Signed-off-by: Spencer Schrock <[email protected]> * go mod tidy for attestor Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🐛 modify alternative isText to accept carriage returns (ossf#2421) * modify IsText from golang.org/x/tools/godoc/util to accept carriage returns. Signed-off-by: Spencer Schrock <[email protected]> * add TODO reminder to cleanup after release tests Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.23.0...v1.24.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ec3cf9c...18fe527) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * revert failing unit-test on ci error (ossf#2422) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * ✨ Improved Security Policy Check (ossf#2195) * ✨ Improved Security Policy Check (ossf#2137) * Examines and awards points for linked content (URLs / Emails) * Examines and awards points for hints of disclosure and vulnerability practices * Examines and awards points for hints of elaboration of timelines Signed-off-by: Scott Hissam <[email protected]> * Repaired Security Policy to correctly use linked content length for evaluation Signed-off-by: Scott Hissam <[email protected]> * gofmt'ed changes Signed-off-by: Scott Hissam <[email protected]> * Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails Signed-off-by: Scott Hissam <[email protected]> * added unit test cases for the new content-based Security Policy checks Signed-off-by: Scott Hissam <[email protected]> * reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs Signed-off-by: Scott Hissam <[email protected]> * ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments) * replaced reason strings with log.Info & log.Warn (as seen in --show-details) * internal assertion check for nil (*pinfo) and empty pfile * internal switched to FileTypeText over FileTypeSource * internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file * revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly Signed-off-by: Scott Hissam <[email protected]> * Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflict with checks.yaml Signed-off-by: Scott Hissam <[email protected]> * updated raw results to emit all the raw information for the new security policy check Signed-off-by: Scott Hissam <[email protected]> * Resolved merge conflicts and lint errors with json_raw_results.go Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files. Signed-off-by: Scott Hissam <[email protected]> * Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo Signed-off-by: Scott Hissam <[email protected]> * added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code Signed-off-by: Scott Hissam <[email protected]> * Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment Signed-off-by: Scott Hissam <[email protected]> * restored reporting full security policy path and filename for policies found in the org level repos Signed-off-by: Scott Hissam <[email protected]> * Resolved conflicts in checks.yaml for documentation Signed-off-by: Scott Hissam <[email protected]> * ✨ CLI for scorecard-attestor (ossf#2309) * Reorganize Signed-off-by: Raghav Kaul <[email protected]> * Working commit Signed-off-by: Raghav Kaul <[email protected]> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <[email protected]> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <[email protected]> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <[email protected]> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <[email protected]> * License, remove golangci.yml Signed-off-by: Raghav Kaul <[email protected]> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <[email protected]> * Add tests for root command Signed-off-by: Raghav Kaul <[email protected]> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <[email protected]> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <[email protected]> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <[email protected]> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <[email protected]> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy Signed-off-by: Raghav Kaul <[email protected]> * go mod tidy, makefile Signed-off-by: Raghav Kaul <[email protected]> * Fix GH actions run Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Scott Hissam <[email protected]> * removed whitespace before stanza for Run attestor e2e Signed-off-by: Scott Hissam <[email protected]> * resolved code review and doc review comments Signed-off-by: Scott Hissam <[email protected]> * repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@18fe527...c3b6fce) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * enable more performant isText (ossf#2433) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface Signed-off-by: latortuga71 <[email protected]> * removed getcommitdepth function Signed-off-by: latortuga71 <[email protected]> * added TODO Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Code Review: treat merging a PR as code review (ossf#2413) * Merges on Github count as a code review by the maintainer Signed-off-by: Raghav Kaul <[email protected]> * Update Raw Results * More detailed information for Changesets * If there's no Revision ID, use the Commit SHA instead Signed-off-by: Raghav Kaul <[email protected]> * Check that pull request had atleast one reviewer that wasn't its author * Add field for Pull Request Merged-By to Github and Gitlab * Note, this check can be bypassed if an author opens a PR with other people's commits Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Trivial: Fix typo (exepted -> expected) (ossf#2440) Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@2e205a2...ebacdc2) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445) * add prefix marker file to config Signed-off-by: Spencer Schrock <[email protected]> * Read the new config values, if they exist. Signed-off-by: Spencer Schrock <[email protected]> * Add function to fetch prefix file config value. Signed-off-by: Spencer Schrock <[email protected]> * Read prefix file if prefix not set. Signed-off-by: Spencer Schrock <[email protected]> * Add tests to verify how List works with various prefixes Signed-off-by: Spencer Schrock <[email protected]> * Add tests for getPrefix Signed-off-by: Spencer Schrock <[email protected]> * Remove panics from iterator helper functions Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447) GitHub probably supports many more file extensions for Markdown files, but at the very least, `.md` and `.markdown` have been standardized in RFC 7763. Signed-off-by: favonia <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430) Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446) * Expose the stackdriver prefix as a config variable so it can be changed. Signed-off-by: Caleb Brown <[email protected]> * fix linter warning Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Only write to the rawBucket if the value exists. (ossf#2451) Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448) * 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * bump attestor modules Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Move cron monitoring to a non-internal location. (ossf#2453) This allows external workers (e.g. criticality_score) to use the same monitoring code. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0efb1d1...30d5821) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454) * Generalize the transfer logic so it is easy to build new transfer agents This change moves code that reads shards and produces summaries into the data package so that it can be reused to create new transfer agents, similar to the BigQuery transfer agent in cron/internal/bq. Signed-off-by: Caleb Brown <[email protected]> * Lint fix and commentary. Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/addlicense in /tools (ossf#2459) Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/google/addlicense/releases) - [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml) - [Commits](google/addlicense@v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: github.com/google/addlicense dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: latortuga71 <[email protected]> * 🌱 Bump github.com/google/go-containerregistry Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> * go mod tidy Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: latortuga71 <[email protected]> * Added <= instead of == incase negative int is passed Signed-off-by: latortuga71 <[email protected]> * missed test fix Signed-off-by: latortuga71 <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: latortuga71 <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Scott Hissam <[email protected]> Signed-off-by: Michael Scovetta <[email protected]> Signed-off-by: favonia <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Latortuga <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: raghavkaul <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Co-authored-by: scott hissam <[email protected]> Co-authored-by: Michael Scovetta <[email protected]> Co-authored-by: favonia <[email protected]> Co-authored-by: Caleb Brown <[email protected]>

dependabot bot requested review from azeemshaikh38, justaugustus, laurentsimon and naveensrinivasan as code owners October 20, 2022 14:21

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Oct 20, 2022

dependabot bot mentioned this pull request Oct 20, 2022

🌱 Bump github.com/goreleaser/goreleaser from 1.11.5 to 1.12.2 in /tools #2369

Closed

dependabot bot had a problem deploying to integration-test October 20, 2022 14:49 Failure

dependabot bot force-pushed the dependabot/go_modules/tools/github.com/goreleaser/goreleaser-1.12.3 branch from 8a313eb to 1fdd1eb Compare October 21, 2022 00:08

dependabot bot requested a review from spencerschrock as a code owner October 21, 2022 00:08

dependabot bot had a problem deploying to integration-test October 21, 2022 00:30 Failure

dependabot bot force-pushed the dependabot/go_modules/tools/github.com/goreleaser/goreleaser-1.12.3 branch from 1fdd1eb to 67429ab Compare October 21, 2022 13:40

dependabot bot had a problem deploying to integration-test October 21, 2022 14:07 Failure

dependabot bot force-pushed the dependabot/go_modules/tools/github.com/goreleaser/goreleaser-1.12.3 branch from 67429ab to f2eeff6 Compare October 27, 2022 09:39

dependabot bot had a problem deploying to integration-test October 27, 2022 09:39 Failure

dependabot bot force-pushed the dependabot/go_modules/tools/github.com/goreleaser/goreleaser-1.12.3 branch from f2eeff6 to 3397aeb Compare October 28, 2022 08:29

dependabot bot had a problem deploying to integration-test October 28, 2022 08:31 Failure

dependabot bot force-pushed the dependabot/go_modules/tools/github.com/goreleaser/goreleaser-1.12.3 branch from 3397aeb to fad5797 Compare October 31, 2022 08:30

dependabot bot temporarily deployed to integration-test October 31, 2022 08:30 Inactive

naveensrinivasan approved these changes Oct 31, 2022

View reviewed changes

naveensrinivasan merged commit 1fa7910 into main Oct 31, 2022

naveensrinivasan deleted the dependabot/go_modules/tools/github.com/goreleaser/goreleaser-1.12.3 branch October 31, 2022 12:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🌱 Bump github.com/goreleaser/goreleaser from 1.11.5 to 1.12.3 in /tools #2373

🌱 Bump github.com/goreleaser/goreleaser from 1.11.5 to 1.12.3 in /tools #2373

dependabot bot commented on behalf of github Oct 20, 2022 •

edited

Loading

codecov bot commented Oct 20, 2022 •

edited

Loading

github-actions bot commented Oct 31, 2022

dependabot bot commented on behalf of github Oct 31, 2022

🌱 Bump github.com/goreleaser/goreleaser from 1.11.5 to 1.12.3 in /tools #2373

🌱 Bump github.com/goreleaser/goreleaser from 1.11.5 to 1.12.3 in /tools #2373

Conversation

dependabot bot commented on behalf of github Oct 20, 2022 • edited Loading

v1.12.3

Changelog

What to do next?

v1.12.2

Changelog

Bug fixes

Dependency updates

What to do next?

v1.12.1

Changelog

Bug fixes

What to do next?

v1.12.0

codecov bot commented Oct 20, 2022 • edited Loading

Codecov Report

github-actions bot commented Oct 31, 2022

dependabot bot commented on behalf of github Oct 31, 2022

dependabot bot commented on behalf of github Oct 20, 2022 •

edited

Loading

codecov bot commented Oct 20, 2022 •

edited

Loading