- Remove GPG signing from .goreleaser.yml
- Set `skip` parameter to `false` in .goreleaser.yml
[.goreleaser.yml]
- Remove the GPG signing from the .goreleaser.yml file
- Change the `skip` parameter to `false` in the .goreleaser.yml file
Signed-off-by: naveensrinivasan <[email protected]>
* fix: Handle editable pip install
Editable pip installs (-e) should be considered secure if the package is installed from a local source or a remote source (VCS install) but pinned by commit hash. To keep the behaviour we have for normal pip installs, we need to guarantee the package dependencies are pinned by hash too. For normal pip installs, we verify that by using --require-hashes flag. Unfortunately, --require-hashes flag is not compatible with editable installs, so we use --no-deps flag to verify the dependencies are not installed since we can't verify if they are pinned.
Signed-off-by: Gabriela Gutierrez <[email protected]>
* test: Editable pip install in GHA
Signed-off-by: Gabriela Gutierrez <[email protected]>
* test: Editable pip install in Dockerfile
Signed-off-by: Gabriela Gutierrez <[email protected]>
* test: Editable pip install in shell script
Signed-off-by: Gabriela Gutierrez <[email protected]>
* fix: Code complexity increase
Signed-off-by: Gabriela Gutierrez <[email protected]>
* fix: Simplify boolean return
Signed-off-by: Gabriela Gutierrez <[email protected]>
* docs: Add pip editable install references in comments
Signed-off-by: Gabriela Gutierrez <[email protected]>
* fix: Handle multiple packages in editable pip install
Signed-off-by: Gabriela Gutierrez <[email protected]>
* test: Multi editable pip install in GHA
Signed-off-by: Gabriela Gutierrez <[email protected]>
* test: Multi editable pip install in Dockerfile
Signed-off-by: Gabriela Gutierrez <[email protected]>
* test: Multi editable pip install in shell script
Signed-off-by: Gabriela Gutierrez <[email protected]>
---------
Signed-off-by: Gabriela Gutierrez <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
* Add make targets and E2E test target for GitLab only
Signed-off-by: Raghav Kaul <[email protected]>
* Add GitLab support to RepoClient
Signed-off-by: Raghav Kaul <[email protected]>
* Build
* Make target for e2e-gitlab-token
* Only run Gitlab tests in CI that don't require a token
Signed-off-by: Raghav Kaul <[email protected]>
* Add tests
Signed-off-by: Raghav Kaul <[email protected]>
* Remove spurious printf
Signed-off-by: Raghav Kaul <[email protected]>
* 🐛 Check OSS Fuzz build file for Fuzzing check (#2719)
* Check OSS-Fuzz using project list
Signed-off-by: Spencer Schrock <[email protected]>
* Use clients.RepoClient interface to perform the new OSS Fuzz check
Signed-off-by: Spencer Schrock <[email protected]>
* wip: add eager client for better repeated lookup of projects
Signed-off-by: Spencer Schrock <[email protected]>
* Split lazy and eager behavior into different implementations.
Signed-off-by: Spencer Schrock <[email protected]>
* Add tests and benchmarks
Signed-off-by: Spencer Schrock <[email protected]>
* Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives.
Signed-off-by: Spencer Schrock <[email protected]>
* Add eager constructor to surface status file errors sooner.
Signed-off-by: Spencer Schrock <[email protected]>
* Switch existing users to new OSS Fuzz client
Signed-off-by: Spencer Schrock <[email protected]>
* Mark old method as deprecated in the godoc
Signed-off-by: Spencer Schrock <[email protected]>
* remove unused comment.
Signed-off-by: Spencer Schrock <[email protected]>
* Use new OSS Fuzz client in e2e test.
Signed-off-by: Spencer Schrock <[email protected]>
* fix typo.
Signed-off-by: Spencer Schrock <[email protected]>
* Fix potential path bug with test server.
Signed-off-by: Spencer Schrock <[email protected]>
* Force include the two JSON files which were being ignored by .gitignore
Signed-off-by: Spencer Schrock <[email protected]>
* trim the status json file
Signed-off-by: Spencer Schrock <[email protected]>
---------
Signed-off-by: Spencer Schrock <[email protected]>
---------
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
* Updates osv-scanner dependency to 1.2.0.
The 1.0 release changed the return value for osv-scanner to output an error
when vulnerabilities are found, modified to handle this error correctly.
Signed-off-by: Rex Pan <[email protected]>
* Add some additional comments
Signed-off-by: Rex Pan <[email protected]>
* Update osv-scanner to include SBOM and logging fixes
Signed-off-by: Rex Pan <[email protected]>
---------
Signed-off-by: Rex Pan <[email protected]>
- Updated the `Makefile` to include the `-coverpkg=./...` flag when running tests.
[Makefile]
- Changed `SKIP_GINKGO=1 go test -race -covermode=atomic -coverprofile=unit-coverage.out` to `SKIP_GINKGO=1 go test -race -covermode=atomic -coverprofile=unit-coverage.out -coverpkg=./...` in the `Makefile`
Signed-off-by: naveensrinivasan <[email protected]>
* Update auth server to use GitHub App.
Signed-off-by: Spencer Schrock <[email protected]>
* Update release worker to use GitHub App tokens directly, as a workaround for the auth server not supporting it.
Signed-off-by: Spencer Schrock <[email protected]>
* Add Retry-After logic and stats.
Signed-off-by: Spencer Schrock <[email protected]>
* Change retry-after logic to support any status code. Disable troublesome checks.
Signed-off-by: Spencer Schrock <[email protected]>
* Use GitHub App Token instead of auth server.
Signed-off-by: Spencer Schrock <[email protected]>
* Temporarily disable additional chhecks.
Signed-off-by: Spencer Schrock <[email protected]>
* Disable github auth server as it doesn't work with the GitHub App Tokens.
Signed-off-by: Spencer Schrock <[email protected]>
* Re-enable Fuzzing check in the release test.
Signed-off-by: Spencer Schrock <[email protected]>
* Fix unit test for new check change.
Signed-off-by: Spencer Schrock <[email protected]>
* Move opencensus stat to the ratelimit roundtripped.
Signed-off-by: Spencer Schrock <[email protected]>
---------
Signed-off-by: Spencer Schrock <[email protected]>