Closed aiuto closed 6 months ago
aiuto
commented
6 months ago Whump, whump, whump. That still does not help.
I've spent more time than I can afford on this for now.
I filed https://github.com/ossf/scorecard/issues/3968 against scorecard. Let's see what they say.
aiuto
commented
6 months ago Probably yes. What I want is for scorecard to fix their documentation and examples so they are up to date.
A potential policy based solution is that all the bazelbuild repositories share the same scorecard setup. That way we only have to fix it for bazelbuild/bazel and everyone else feels safe just copying that workflow to their repository. This reduces churn and improves accountability.
On Fri, Mar 22, 2024 at 11:25 AM Chuck Grindel @.***> wrote:
@.**** commented on this pull request.
In .github/workflows/scorecard.yml https://github.com/bazelbuild/rules_pkg/pull/840#discussion_r1535770530:
@@ -35,12 +35,12 @@ jobs: uses: @.***
- name: "Checkout code"
- uses: @.*** # v3.1.0
- uses: @.*** # v3.5.2
We may want to update this to 4.x.x soon. GitHub is deprecating actions that use node 16 https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/ .
— Reply to this email directly, view it on GitHub https://github.com/bazelbuild/rules_pkg/pull/840#pullrequestreview-1955109720, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXHHHAJYZGYBJA7A6L3OWLYZREP7AVCNFSM6AAAAABFDLSDROVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSNJVGEYDSNZSGA . You are receiving this because you modified the open/close state.Message ID: @.***>
Update scorecard workflow as per https://github.com/ossf/scorecard-action
My earlier suggested fix had no effect. This one seems more likely, based on the error message on the security tab
That suggests that actions/checkout is out of date.
\I think it is inexcusable for a security scanner to not do numbered releases. You can not expect humans to audit and reason about github hashes.\