⚠️ Add ProjectPackageVersions to raw data collection

[raghavkaul]

What kind of change does this PR introduce?

Adds ProjectPackageVersion data to SignedReleasesData, which will let a probe consume the data. Also add mock for ProjectPackageClient.

⚠️ breaking change: implementers of the Repo interface must now implement Path().

[spencerschrock]

Can you remind me what the intended purpose is? There's a lot of data being added to the raw results. But hard to reason about the necessity of it when there's no accompanying probe.

If we consider the ossf/scorecard response for example:
https://api.deps.dev/v3/projects/github.com%2Fossf%2Fscorecard:packageversions

[raghavkaul]

The probe will be something like releasesHaveVerifiedProvenance, which returns a proportional finding depending on how many releases have provenance. I think we'll need System (ecosystem), Name, and Version to create a unique VersionKey (as deps.dev does) to return proportional results. Then we'll need IsVerified for the actual probe. I left Commit in there if we'll eventually want to deduplicate GitHub releases attestations from other system release attestations.

[spencerschrock]

/scdiff generate Signed-Releases

[github-actions]

Here's a link to the scdiff run

[spencerschrock]

Getting segfaults and e2e test failures, which would need to be fixed. I'm also curious how errors in the deps dev response would be handled right now (if it would mess up other data collection)

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 27 lines in your changes are missing coverage. Please review.

Project coverage is 59.96%. Comparing base (6815161) to head (5d12fc1).
Report is 12 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4104      +/-   ##
==========================================
- Coverage   66.06%   59.96%   -6.11%     
==========================================
  Files         226      214      -12     
  Lines       16291    15551     -740     
==========================================
- Hits        10763     9325    -1438     
- Misses       4854     5535     +681     
- Partials      674      691      +17     

[raghavkaul]

how errors in the deps dev response would be handled right now (if it would mess up other data collection)

They're propagated up to the check level, so they'll cause the check to fail.

[raghavkaul]

/scdiff generate Signed-Releases

[github-actions]

Here's a link to the scdiff run

[raghavkaul]

/scdiff generate Signed-Releases

[github-actions]

Here's a link to the scdiff run

[raghavkaul]

/scdiff generate Signed-Releases

[github-actions]

Here's a link to the scdiff run

[spencerschrock]

overall looks good. I think the cron client (as-is) will panic on a nil pointer deref, so let's fix that.