New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(ossf-scorecard): added workflow calculating scorecard metrics #2848
Conversation
@@ -7,6 +7,9 @@ | |||
<a href="https://github.com/semantic-release/semantic-release/actions?query=workflow%3ATest+branch%3Amaster"> | |||
<img alt="Build states" src="https://github.com/semantic-release/semantic-release/workflows/Test/badge.svg"> | |||
</a> | |||
<a href="https://securityscorecards.dev/viewer/?uri=github.com/semantic-release/semantic-release"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we've kept badges to a minimum, but this one feels worth including. open to leaving it out if it feels inconsistent
an example of the new semantic-release detection working and rewarding a 10 for the packaging score: https://securityscorecards.dev/viewer/?uri=github.com/travi-test/semantic-release-tester#section-Packaging |
according to https://github.com/ossf/scorecard/blob/4cd5446862ea4c470810fea81fc7f45a36d04dec/docs/checks.md#license, the scorecard relies on GitHub's understanding of our license. it is true that GitHub does not recognize the license, but i do not understand why. comparing the contents of https://github.com/semantic-release/semantic-release/blob/master/LICENSE to https://github.com/form8ion/javascript/blob/master/LICENSE from another of my projects where the license is recognized correctly, i dont spot obvious differences beyond the ones that would be expected to differ between projects. i also found https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository#detecting-a-license, but i dont see anything obvious that applies in our case update: this leaves me even more confused since licensee is apparently what github uses for the detection: $ docker run licensee detect semantic-release/semantic-release --remote
License: MIT
Matched files: LICENSE, package.json
LICENSE:
Content hash: 4c2c763d64bbc7ef2e58b0ec6d06d90cee9755c9
Attribution: Copyright (c) 2017 Contributors
Confidence: 100.00%
Matcher: Licensee::Matchers::Exact
License: MIT
package.json:
Confidence: 90.00%
Matcher: Licensee::Matchers::NpmBower
License: MIT |
maybe we can try to just update the LICENSE file? That might resolve it |
… into ossf-scorecard
🎉 This PR is included in version 21.0.6 🎉 The release is available on: Your semantic-release bot 📦🚀 |
the changes to detect semantic-release in github actions workflows was released yesterday, so it feels like the right time to add this to our workflows.
our current score is 7.7, but i expect that to go up once this is merged and the score is recalculated with the new detection for semantic-release. i'm hopeful that the failure to detect our license might also be fixed, but i haven't dug in to confirm that one 🤞🏼