🌱 Update Scorecard API usage #336
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azeemshaikh38
requested review from
naveensrinivasan,
justaugustus and
laurentsimon
laurentsimon
approved these changes
Jun 6, 2022
azeemshaikh38
force-pushed
the
azeems/golang-bug
branch
from
a9f6a91
to
bfb0b3e
Compare
justaugustus
requested changes
Jun 6, 2022
There was a problem hiding this comment.
Left some style comments and questions.
@ossf/scorecard-maintainers -- As an overarching goal, but also using this PR as context, we need to work on pull request hygiene/telling a story for future passerbys (which may include us).
Here's a quick list of questions/comments that I have:
Part of #133. Will update
golang-stagingbranch to use the public imagescorecard-action
- How is the
golang-stagingbranch used? - Is this well-documented?
- How does this relate to Feature: Scorecard badges #133 (enabling Scorecard badges through the scorecard GitHub Action)?
- The PR title and commit message says "Update Scorecard API usage", but it does not explain what is being changed or how it's being changed. https://github.com/kubernetes/sig-release/blob/master/CONTRIBUTING.md#contributing-code contains some pretty good guidance here.
- The additional infra changes, like the Dockerfile and cloudbuild.yaml, should be a separate commit, again explaining why they need to be added
- Is there a reason we prefer gcr.io instead of GH container registry?
- I'm not sure I agree with adding yet another Dockerfile (this was part of the reason for the direction in image: Build the
scorecardcommand from this repo's wrapper instead of copying #316 and ✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions scorecard#1962)
azeemshaikh38
force-pushed
the
azeems/golang-bug
branch
2 times, most recently
from
e810343
to
c2f8f16
Compare
justaugustus
reviewed
Jun 6, 2022
Codecov Report
@@ Coverage Diff @@
## main #336 +/- ##
==========================================
- Coverage 64.28% 63.88% -0.40%
==========================================
Files 4 4
Lines 210 216 +6
==========================================
+ Hits 135 138 +3
- Misses 67 69 +2
- Partials 8 9 +1
|
There is some documentation here about how
I made some updates to the
I will make another attempt at the PR description once we have reached an agreement on the overall changes.
Below answers should probably cover why these were added.
No strong reason except for personal familiarity with Google Cloud infra and that Scorecard image itself resides in GCP. Ok to use anything else.
The extra Dockerfile is only temporary (until we release the Golang code and delete any bash related code). Even today, we maintain 2 separate Dockerfiles (the second one lives in |
azeemshaikh38
force-pushed
the
azeems/golang-bug
branch
from
c2f8f16
to
e6b9506
Compare
azeemshaikh38
force-pushed
the
azeems/golang-bug
branch
from
e6b9506
to
b8a85e5
Compare
azeemshaikh38
added a commit
that referenced
this pull request
Jun 7, 2022
* 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 (#313) * 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 Bumps [github.com/ossf/scorecard/v4](https://github.com/ossf/scorecard) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/ossf/scorecard/releases) - [Changelog](https://github.com/ossf/scorecard/blob/main/.goreleaser.yml) - [Commits](ossf/scorecard@v4.2.0...v4.3.0) --- updated-dependencies: - dependency-name: github.com/ossf/scorecard/v4 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * options: Restore logic for publishing results Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus <foo@auggie.dev> * 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11 (#311) * 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.10 to 2.1.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@2f58583...a3a6c12) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Fix version comments Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> * 📖 docs/e2e: Add information about golang-staging branch tests (#170) Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> * 🌱 .github: Add dependency review action (#165) Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Update README.md (#319) * 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3 Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.2 to 6.9.3. - [Release notes](https://github.com/caarlos0/env/releases) - [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml) - [Commits](caarlos0/env@v6.9.2...v6.9.3) --- updated-dependencies: - dependency-name: github.com/caarlos0/env/v6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump debian from `fbaacd5` to `06a93cb` Bumps debian from `fbaacd5` to `06a93cb`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump actions/setup-go from 3.1.0 to 3.2.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@fcdc436...b22fbbc) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * ✨ Bump container hash to use scorecard v4.3.1 (#324) * Update Dockerfile * Update Dockerfile * Update README.md (#325) * Update Scorecard API usage * Add documentation for e2e tests Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Azeem Shaikh <azeems@google.com>
justaugustus
approved these changes
Jun 8, 2022
There was a problem hiding this comment.
Thanks @azeemshaikh38!
I may have more follow-up questions, but let's get the CI checks unblocked first and foremost.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Recent changes to
scorecard-webappAPI updates how Scorecard Action should integrate with the API. This PR make the necessary updates:Along with these changes, updates how Golang Scorecard Action will be built and tested:
Dockerfile.golangandcloudbuild.yamlto update how Golang Action is built.e2etests.Part of #133.
golang-stagingbranch will be deleted and need not be maintained after necessary changes to e2e tests are deployed.