Skip to content

Commit

Permalink
Update ossf/scorecard-action action to v2.3.1 (#488)
Browse files Browse the repository at this point in the history
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.1.2` -> `v2.3.1` |

---

### Release Notes

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

###
[`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270)
- For a full changelist of what this includes, see the
[v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and
[v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0)
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169)
- 🐛 Prevent url clipping for GHES instances by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225)

##### Documentation

- 📖 Update access rights needed to see the results in code scanning
by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229)
- 📖 Add package comments. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221)
- 📖 Add SECURITY.md file by
[@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- 📖 Fix typo in token input docs by
[@&#8203;aabouzaid](https://togithub.com/aabouzaid) in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

#### New Contributors

- [@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- [@&#8203;aabouzaid](https://togithub.com/aabouzaid) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

**Full Changelog**:
ossf/scorecard-action@v2.2.0...v2.3.0

###
[`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://togithub.com/cynthia-sg) and
[@&#8203;tegioz](https://togithub.com/tegioz) at
[CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://togithub.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://togithub.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://togithub.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://togithub.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

###
[`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://togithub.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://togithub.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://togithub.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://togithub.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/secretflow/spu).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMjcuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEyNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Jan 12, 2024
1 parent 6ae3695 commit b8457a5
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
Expand Down

0 comments on commit b8457a5

Please sign in to comment.