[]:Syncs from fork #88

karankohli-cf · 2024-06-10T12:33:15Z

No description provided.

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Jeff Mendoza <[email protected]>

Signed-off-by: Evan Anderson <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>

* (Not sure if this is needed, githubclient.Close() is thread safe) Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]> update scorecard Signed-off-by: Raghav Kaul <[email protected]>

…ive result Signed-off-by: Colm O hEigeartaigh <[email protected]>

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@dd6b2e2...1fc5bd3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Jeff Mendoza <[email protected]>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v3...v4) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3 to 4. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@v3...v4) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.4.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@1fc5bd3...e1523de) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Jeff Mendoza <[email protected]>

Orignally, the cache was intended to be long lived to handle incoming webhooks at any time. Currently, we are just polling, and just need the cache to handle a single "EnforceAll" run, where we hit the same paths multiple times in that run. Therefore, change the cache to be per-installation, and free it after each "EnforceAll". Signed-off-by: Jeff Mendoza <[email protected]>

Change "workers" cli option to be in pkg/config/operator and use ALLSTAR_NUM_WORKERS envvar with same default at 5. Update staging and prod config to use 1 worker to save concurrent memory usage. Signed-off-by: Jeff Mendoza <[email protected]>

This was trying (and depending on app permissions, succeeding) at changing issue descriptions in repos directly even when IssueRepo was set. We update to obey IssueRepo config setting in this case Signed-off-by: twelsh-aw <[email protected]>

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.36.0 to 0.37.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.36.0...v0.37.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.9.0 to 2.10.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.9.0...v2.10.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Jeff Mendoza <[email protected]>

Signed-off-by: Stephen Augustus <[email protected]>

raghavkaul and others added 30 commits November 21, 2023 15:54

Update nocache condition

2ec2dca

Signed-off-by: Raghav Kaul <[email protected]>

Skip empty repositories for enforcement

2531796

Signed-off-by: Raghav Kaul <[email protected]>

Fix tests

4b3f718

Signed-off-by: Raghav Kaul <[email protected]>

Use GitHub RepositoriesService.GetContent API

210e999

Signed-off-by: Raghav Kaul <[email protected]>

update

5bc0d49

Signed-off-by: Raghav Kaul <[email protected]>

Revert ossf#471 empty check

1c18a33

Signed-off-by: Jeff Mendoza <[email protected]>

Rename boolArgPtr to 'runOnce`

00e8917

Signed-off-by: Evan Anderson <[email protected]>

Parameterize max goroutines

968a887

Signed-off-by: Raghav Kaul <[email protected]>

Don't recreate scorecard clients multiple times

b9a43c0

Signed-off-by: Raghav Kaul <[email protected]>

Initialize scClients map once globally

cd0a83b

Signed-off-by: Raghav Kaul <[email protected]>

Lock entire cleanup method

c2c6202

* (Not sure if this is needed, githubclient.Close() is thread safe) Signed-off-by: Raghav Kaul <[email protected]>

Update scorecard

2767817

Signed-off-by: Raghav Kaul <[email protected]> update scorecard Signed-off-by: Raghav Kaul <[email protected]>

Don't create issues for dangerous workflows when we have an inconclus…

3521ed8

…ive result Signed-off-by: Colm O hEigeartaigh <[email protected]>

Update a lot of go deps.

b48eddb

Signed-off-by: Jeff Mendoza <[email protected]>

Catch unknown scorecard check.

609be43

Signed-off-by: Jeff Mendoza <[email protected]>

Fix parsing of github action name.

c532eed

Signed-off-by: Jeff Mendoza <[email protected]>

Avoid panic with scorecard logs.

68e3449

Signed-off-by: Jeff Mendoza <[email protected]>

Avoid panic when workflow dir contains other dirs.

24b20ac

Signed-off-by: Jeff Mendoza <[email protected]>

Switch to using a single worker

964a34c

Change "workers" cli option to be in pkg/config/operator and use ALLSTAR_NUM_WORKERS envvar with same default at 5. Update staging and prod config to use 1 worker to save concurrent memory usage. Signed-off-by: Jeff Mendoza <[email protected]>

jeffmendoza and others added 7 commits May 3, 2024 12:27

Update scorecard and Go versions.

5388811

Signed-off-by: Jeff Mendoza <[email protected]>

Update sc client mock

27c8070

Signed-off-by: Jeff Mendoza <[email protected]>

Update go modules

80ddc24

Signed-off-by: Jeff Mendoza <[email protected]>

Fix name of ko in cloudbuild

cc8cc68

Signed-off-by: Jeff Mendoza <[email protected]>

docs: Adopt OpenSSF Scorecard contributor ladder

3dc172e

Signed-off-by: Stephen Augustus <[email protected]>

docs: Allstar is now a part of the OpenSSF Scorecard project

0ae052c

Signed-off-by: Stephen Augustus <[email protected]>

Merge branch 'main' into syncs

1df3800

karankohli-cf requested a review from a team as a code owner June 10, 2024 12:33

karankohli-cf changed the title ~~[]:Syncs~~ []:Syncs from fork Jun 10, 2024

roryscarson previously approved these changes Jun 10, 2024

View reviewed changes

packages

e2938c2

karankohli-cf dismissed roryscarson’s stale review via e2938c2 June 10, 2024 12:36

karankohli-cf added 5 commits June 10, 2024 14:56

package rename

b53d179

go ver

062a1de

go ver

0549097

remove

72e1e6b

build on pr

98c0d49

karankohli-cf merged commit 5c0e21f into main Jun 10, 2024
3 checks passed

karankohli-cf deleted the syncs branch June 10, 2024 13:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[]:Syncs from fork #88

[]:Syncs from fork #88

karankohli-cf commented Jun 10, 2024

[]:Syncs from fork #88

[]:Syncs from fork #88

Conversation

karankohli-cf commented Jun 10, 2024