-
Notifications
You must be signed in to change notification settings - Fork 489
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG .sigstore
bundles are not being found by Signed-Releases check
#3913
Comments
I think the issue is just that there hasn't been a new release in a while. After that, the scorecard-action Docker image should be updated. |
@edgarrmondragon now that I look... 🤦 I'm so accustomed to 'release early, release often' (and so used to bumping the Scorecard workflow for CodeQL changes) I'd missed that 5 months have rolled by without a release. |
We've been working on a major release, and haven't released in a while as we work through some breaking changes. I can try to see how many breaking changes have slipped in, and if an interim release is possible. |
Cutting a Scorecard release may be challenging at this point before our v5 release within the month. Would it be sufficient for us to update Scorecard Action to use a newer version of scorecard (via a Go pseudo-version) |
Yeah, I guess most folks are using scorecard via ossf/scorecard-action. It'd at least work for me. |
The fix has now been included in both a |
Describe the bug
The Signed-Releases score is 0 even when
.sigstore
bundles are present for the last 5 releases.Reproduction steps
Steps to reproduce the behavior:
.sigstore
bundles)Expected behavior
Signed-Releases score should be 8 after 5 releases with
.sigstore
bundles.Additional context
This was initially raised by @edgarrmondragon in #3771 and should have been fixed by #3772
I first noticed this with the at_python repo I maintain:
Here's the latest release assets using
gh release view --json assets -q .assets.[].name
Previous releases are the same aside from the semver bumps.
As @edgarrmondragon previously raised this I took a look at his citric and the same is happening there. The
.sigstore
bundles are present, but the Signed-Releases score is 0.The text was updated successfully, but these errors were encountered: