Consider GitHub/VS Marketplaces as Packaging locations.

[muiriswoulfe]

Is your feature request related to a problem? Please describe.

Consider support GitHub Marketplace or Visual Studio Marketplace as packaging locations.

Describe the solution you'd like

I have an action that is published to both Marketplaces but fails the Packaging check in the scorecard. It would be great to get support for one or both Marketplaces as these essentially constitute locations to which a package is released.

In the root folder, action.yml is used to specify the publish to the GitHub Marketplace.

Detecting use of the Visual Studio Marketplace is a bit more involved, but I have the following in our build pipeline:

      - name: Publish Release
        uses: HaaLeo/publish-vscode-extension@c1a0486c5a3eed24e8c21d4e37889a7c4c60c443 # v1.2.0

Describe alternatives you've considered

The only real alternative is not to support this.

It would be possible to publish the package to npm just to meet the Packaging requirement, but it wouldn't be the correct thing to do as the package should not be consumed in that way.

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.

[spencerschrock]

In the root folder, action.yml is used to specify the publish to the GitHub Marketplace.

I think this is slightly different, but a good point to bring up. We have the same problem with Go where repos are automatically packages without any publishing. #2493

Detecting use of the Visual Studio Marketplace is a bit more involved, but I have the following in our build pipeline

For any commonly used actions, adding support is relatively straightforward. https://github.com/ossf/scorecard/blob/5f171ba0beaa318562bbe7c060c739b481f17dde/checks/fileparser/github_workflow.go#L446 I would accept any PRs on this part of the request

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.