Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Add scorecard-action to the security-events allowlist in Token Permissions check #2153

Merged
merged 4 commits into from
Aug 16, 2022
Merged

🐛 Add scorecard-action to the security-events allowlist in Token Permissions check #2153

merged 4 commits into from
Aug 16, 2022

Conversation

spencerschrock
Copy link
Contributor

What kind of change does this PR introduce?

Using scorecard-action no longer decreases a project's score.

What is the current behavior?

Repositories that use ossf/scorecard-action lose 1 point due to the Token Permissions check, because ossf/scorecard-action requires security-events: write.

What is the new behavior (if this is a feature change)?**

This PR adds ossf/scorecard-action to the allowed list of actions that can use security-events: write without affecting scoring.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #2152

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

@codecov
Copy link

codecov bot commented Aug 16, 2022
edited
Loading

Codecov Report

Merging #2153 (b02c20d) into main (2fd81c0) will increase coverage by 0.16%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2153      +/-   ##
==========================================
+ Coverage   42.42%   42.59%   +0.16%     
==========================================
  Files          94       94              
  Lines        7846     7815      -31     
==========================================
  Hits         3329     3329              
+ Misses       4259     4228      -31     
  Partials      258      258

azeemshaikh38
azeemshaikh38 approved these changes Aug 16, 2022
View reviewed changes
Copy link
Contributor

@azeemshaikh38 azeemshaikh38 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@azeemshaikh38 azeemshaikh38 enabled auto-merge (squash) August 16, 2022 20:38
auto-merge was automatically disabled August 16, 2022 20:44

Head branch was pushed to by a user without write access

@spencerschrock spencerschrock temporarily deployed to integration-test August 16, 2022 20:45 Inactive
@azeemshaikh38 azeemshaikh38 enabled auto-merge (squash) August 16, 2022 20:51
@github-actions
Copy link

Integration tests success for
[b02c20d]
(https://github.com/ossf/scorecard/actions/runs/2870973477)

@azeemshaikh38 azeemshaikh38 merged commit 2f253e8 into ossf:main Aug 16, 2022
@spencerschrock spencerschrock deleted the allow-scorecard-action-security-events branch August 17, 2022 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azeemshaikh38 azeemshaikh38 azeemshaikh38 approved these changes

@justaugustus justaugustus Awaiting requested review from justaugustus

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

@naveensrinivasan naveensrinivasan Awaiting requested review from naveensrinivasan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Using Scorecard GitHub Action reduces the Token-Permissions score
2 participants
@spencerschrock @azeemshaikh38