You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by Gary Gregory <ga...@gmail.com> on 2022/09/28 19:31:02 UTC

[ALL] Don't update ossf/scorecard-action

A specific version of the ossf/scorecard-action is approved by Apache Infra.

Do not merge ossf/scorecard-action PRs, this will cause the next run of
ossf/scorecard-action to fail (see the logs).

When it is eventually time to merge (in the future), please edit the PR to
fix the comment, for example:

       - name: "Run analysis"
-        uses:
ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564    # 1.1.2
+        uses:
ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18    # 1.1.2
         with:
           results_file: results.sarif
           results_format: sarif

The above is misleading since the pinned commit no longer matches the
version, so edit the version comment.

TY!
Gary

Re: [ALL] Don't update ossf/scorecard-action

Posted by Gary Gregory <ga...@gmail.com>.

This is all part of playing nicer in the larger FOSS ecosystem, as is
the generation of SBOMs, all items that were inspired from the fall
out of Log4Shell.

Gary

On Fri, Sep 30, 2022 at 6:26 AM Thomas Vandahl <tv...@apache.org> wrote:
>
> Hi Gary
>
> > Am 28.09.2022 um 21:31 schrieb Gary Gregory <ga...@gmail.com>:
> >
> > A specific version of the ossf/scorecard-action is approved by Apache Infra.
>
> Is there any discussion I might have missed why this is required now?
>
> Bye, Thomas
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: [ALL] Don't update ossf/scorecard-action

Posted by Thomas Vandahl <tv...@apache.org>.

Hi Gary

> Am 28.09.2022 um 21:31 schrieb Gary Gregory <ga...@gmail.com>:
> 
> A specific version of the ossf/scorecard-action is approved by Apache Infra.

Is there any discussion I might have missed why this is required now?

Bye, Thomas 
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org