✨ Add packaging workflow for semantic-release

[travi]

What kind of change does this PR introduce?

Adds detection for the recommended use of semantic-release in a GitHub Actions workflow.

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

semantic-release is not detected as a packaging tool. detection for python-semantic-release was added in #1654, but that is a separate project from semantic-release

What is the new behavior (if this is a feature change)?**

semantic-release is now detected when used with npx in the workflow. the following variations are detected in the run property of a step:

• npx semantic-release
• npx semantic-release@21
• npx [email protected]
• npx semantic-release@beta
• npx -p @semantic-release/git semantic-release

• Tests for the changes have been added (for bug fixes/features)

I verified that the variations above are detected when set in the testdata workflow file, but the PR currently only contains one of those variations. I did not find examples of other situations that defined multiple workflow variations for a single packaging tool detection, but I am open to feedback if additional tests would be desired.

Which issue(s) this PR fixes

Fixes #2929

Special notes for your reviewer

i personally use a reusable workflow (example reference) to capture the details of running semantic-release. (Since I am a semantic-release maintainer, I mostly do this to enable easy switching from use of the latest version to a pre-release in order to test further across my own projects.) I assume reusable workflows would prevent detection of the semantic-release usage, is that correct or does the scanning also evaluate those?

even if reusable workflows are not scanned, adding this detection would be valuable for much of our community. i would be interested to add this support and follow up with further discussion afterward about reusable workflows if not already scanned.

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

✨ Add packaging workflow for semantic-release

[codecov]

Codecov Report

Merging #2964 (e11d5c7) into main (793da0c) will increase coverage by 0.03%.
The diff coverage is 100.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2964      +/-   ##
==========================================
+ Coverage   53.01%   53.05%   +0.03%     
==========================================
  Files         161      161              
  Lines       12303    12312       +9     
==========================================
+ Hits         6523     6532       +9     
  Misses       5404     5404              
  Partials      376      376              

[spencerschrock]

Thanks, the only blocker is the linter

[spencerschrock]

I assume reusable workflows would prevent detection of the semantic-release usage, is that correct or does the scanning also evaluate those?

Yes, Scorecard doesn't currently follow any reusable workflows.

even if reusable workflows are not scanned, adding this detection would be valuable for much of our community.

Thank you for the contribution!

[travi]

Yes, Scorecard doesn't currently follow any reusable workflows.

makes sense. thank you for confirming. would you say that there is an appetite to analyze those at some point in the future?

Thank you for the contribution!

absolutely. thanks for accepting and for all you do on the project. i'm excited about how this will help our communities