ci(ossf-scorecard): added workflow calculating scorecard metrics #2848
Conversation
| @@ -7,6 +7,9 @@ | |||
| <a href="https://github.com/semantic-release/semantic-release/actions?query=workflow%3ATest+branch%3Amaster"> | |||
| <img alt="Build states" src="https://github.com/semantic-release/semantic-release/workflows/Test/badge.svg"> | |||
| </a> | |||
| <a href="https://securityscorecards.dev/viewer/?uri=github.com/semantic-release/semantic-release"> | |||
There was a problem hiding this comment.
we've kept badges to a minimum, but this one feels worth including. open to leaving it out if it feels inconsistent
|
an example of the new semantic-release detection working and rewarding a 10 for the packaging score: https://securityscorecards.dev/viewer/?uri=github.com/travi-test/semantic-release-tester#section-Packaging |
according to https://github.com/ossf/scorecard/blob/4cd5446862ea4c470810fea81fc7f45a36d04dec/docs/checks.md#license, the scorecard relies on GitHub's understanding of our license. it is true that GitHub does not recognize the license, but i do not understand why. comparing the contents of https://github.com/semantic-release/semantic-release/blob/master/LICENSE to https://github.com/form8ion/javascript/blob/master/LICENSE from another of my projects where the license is recognized correctly, i dont spot obvious differences beyond the ones that would be expected to differ between projects. i also found https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository#detecting-a-license, but i dont see anything obvious that applies in our case update: this leaves me even more confused since licensee is apparently what github uses for the detection: $ docker run licensee detect semantic-release/semantic-release --remote
License: MIT
Matched files: LICENSE, package.json
LICENSE:
Content hash: 4c2c763d64bbc7ef2e58b0ec6d06d90cee9755c9
Attribution: Copyright (c) 2017 Contributors
Confidence: 100.00%
Matcher: Licensee::Matchers::Exact
License: MIT
package.json:
Confidence: 90.00%
Matcher: Licensee::Matchers::NpmBower
License: MIT |
maybe we can try to just update the LICENSE file? That might resolve it |
… into ossf-scorecard
|
🎉 This PR is included in version 21.0.6 🎉 The release is available on: Your semantic-release bot 📦🚀 |
the changes to detect semantic-release in github actions workflows was released yesterday, so it feels like the right time to add this to our workflows.
our current score is 7.7, but i expect that to go up once this is merged and the score is recalculated with the new detection for semantic-release. i'm hopeful that the failure to detect our license might also be fixed, but i haven't dug in to confirm that one 🤞🏼