Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Supply-chain Security Scorecard #1986

Merged
merged 5 commits into from
Mar 29, 2023
Merged

Update Supply-chain Security Scorecard #1986

merged 5 commits into from
Mar 29, 2023

Conversation

jmgrady
Copy link
Collaborator

@jmgrady jmgrady commented Mar 29, 2023
edited
Loading

A recent run of the Supply-chain Security Scorecard have failed because of attempted access to an address that is not in the list of allowed-endpoints. The address should be allowed so this adds it to the allowed-endpoints. In addition, the egress-policy is set to audit for now so that the allowed-endpoints list can be verified.

In addition, the PR includes a change recommended by dependabot to update github/codeql-actions to v2.2.9.

This change is Reviewable

dependabot bot and others added 5 commits March 28, 2023 16:16
@dependabot
Bump github/codeql-action from 2.2.7 to 2.2.9
451e147 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.7 to 2.2.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@168b99b...04df126)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@jmgrady
Merge remote-tracking branch 'origin/dependabot/github_actions/github…
e2aa58e 
…/codeql-action-2.2.9' into scorecard-update
@jmgrady
Update allowed-endpoints to addresses recommended by site-security
277c3ce
@jmgrady
Set scorecards egress policy to audit to confirm endpoint changes
f475720
@jmgrady
Revert allowed-endpoints; add oauth2.sigstore.dev
a875f5d
@codecov-commenter
Copy link

codecov-commenter commented Mar 29, 2023
edited
Loading

Codecov Report

Patch and project coverage have no change.

Comparison is base (dcff670) 49.63% compared to head (a875f5d) 49.63%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1986   +/-   ##
=======================================
  Coverage   49.63%   49.63%           
=======================================
  Files         292      292           
  Lines        9147     9147           
  Branches      663      663           
=======================================
  Hits         4540     4540           
  Misses       4071     4071           
  Partials      536      536
Flag Coverage Δ
backend 73.95% <ø> (ø)
frontend 32.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

jasonleenaylor
jasonleenaylor approved these changes Mar 29, 2023
View reviewed changes
Copy link
Contributor

@jasonleenaylor jasonleenaylor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 2 of 3 files at r1, 1 of 1 files at r2, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @jmgrady)

@jmgrady jmgrady enabled auto-merge (squash) March 29, 2023 14:54
@jmgrady jmgrady self-assigned this Mar 29, 2023
@jmgrady jmgrady added dependencies Pull requests that update a dependency file CI/CD labels Mar 29, 2023
@jmgrady jmgrady merged commit 81064a6 into master Mar 29, 2023
@jmgrady jmgrady deleted the scorecard-update branch March 29, 2023 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonleenaylor jasonleenaylor jasonleenaylor approved these changes

Assignees

@jmgrady jmgrady

Labels
CI/CD dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmgrady @codecov-commenter @jasonleenaylor