Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#1830 update scorecard to v5 (gh action 2.4.0) #1890

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

#1830 update scorecard to v5 (gh action 2.4.0) #1890

wants to merge 3 commits into from

Conversation

planetf1
Copy link
Contributor

@planetf1 planetf1 commented Aug 13, 2024
edited
Loading

  • Updates to use scorecard v5
  • re-pinned actions in scorecard.yaml to latest levels
  • fixed report of unpinned dependencies in unix.yml
  • enabled publishing of scorecard results

Note: Results are published by the openssf team at https://scorecard.dev/viewer/?uri=github.com%2Fopen-quantum-safe%2Fliboqs
Enabling our own scan is recommended by openssf, allows us to enable badges, and permits some tweaking of rules
The current scan results are here

Fixes #1830

n/a

  • Does this PR change the input/output behaviour of a cryptographic algorithm (i.e., does it change known answer test values)? (If so, a version bump will be required from x.y.z to x.(y+1).0.)
  • Does this PR change the list of algorithms available -- either adding, removing, or renaming? Does this PR otherwise change an API? (If so, PRs in fully supported downstream projects dependent on these, i.e., oqs-provider will also need to be ready for review and merge by the time this is merged.)

No change to crypto. This is build pipeline only.

@planetf1 planetf1 marked this pull request as draft August 13, 2024 15:29
@planetf1 planetf1 marked this pull request as ready for review August 27, 2024 09:31
@planetf1 planetf1 mentioned this pull request Aug 27, 2024
Open
baentsch
baentsch requested changes Sep 17, 2024
View reviewed changes
Copy link
Member

@baentsch baentsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please re-base and check the single comments.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@planetf1
Copy link
Contributor Author

The notice above relates to the scorecard analysis being available as entries under the 'security' tab.

SWilson4
SWilson4 approved these changes Sep 25, 2024
View reviewed changes
Copy link
Member

@SWilson4 SWilson4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I don't think it's an issue to merge this before we release 0.11.0, since it only touches CI (and even that only minimally), but it would be good to get a second opinion on that.

.github/workflows/scorecard.yml Show resolved Hide resolved
.github/workflows/scorecard.yml Show resolved Hide resolved
@planetf1
Copy link
Contributor Author

@SWilson4 though of course I want to get this merged, I'd say leave until after release. It just feels with days to go we should minimize any unncessary changes so seems a good general practice

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstebila dstebila dstebila approved these changes

@SWilson4 SWilson4 SWilson4 approved these changes

@baentsch baentsch Awaiting requested review from baentsch

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

scorecard: update to version 5
4 participants
@planetf1 @dstebila @SWilson4 @baentsch