search

Ericsson / CodeCompass

CodeCompass is a software comprehension tool for large scale software written in C/C++ and Java
https://codecompass.net
GNU General Public License v3.0
516 stars 101 forks source link

Update Scorecard Action version #730

Closed mcserep closed 5 months ago

mcserep commented 6 months ago

The Scorecard job added in #716 started to fail a week after, stating:

error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key

See e.g. https://github.com/Ericsson/CodeCompass/actions/runs/8411925535/job/23032110561 for reference.

It is discussed in https://github.com/ossf/scorecard-action/issues/997, that the Scorecard Action should be updated to v2.3.1.
I have replaced the pinned versions with semantic version requirements, so bugfixes and other non-breaking improvements are added automatically to newer pipeline runs. We do not use hash pinning in other CI pipelines as well.

mcserep commented 5 months ago

@intjftw Can you please take a look on this and merge it? Not super important, but the CI job gets failing, and I get notifications.

mcserep commented 5 months ago

After the merge, the job still fails, as for the ossf/scorecard-action action, there is no support for semantic version tags (e.g. v2), like for any other GitHub Action. Instead, explicit version tags have to be used.

Fixed 8e84d84e29a0cec6cb0af9f6dcc587ea9ff34480.