Changes
- Improved caching
- Improved detection of stale dependencies (ensures that a file is checked if a related dictionary is changed).
- Reduce the size of the cache file by consolidating results.
- Added
--cache-resetoption to the cli
Fixes
Pin actions to a full length commit SHA (#2670)
Pin actions to a full length commit SHA (#2670)
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
Pin actions to a full length commit SHA
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
How do I validate these pinned actions?
Also, dependabot supports upgrading based on SHA. ossf/scorecard#1700
GitHub's own repository pin's their checkout actions by SHA and doesn't use the version tag
https://github.com/github/docs/blob/ea7f218c91ecbae9a700a8702b51a7d2736e0d2c/.github/workflows/docs-review-collect.yml#L23
Signed-off-by: naveensrinivasan 172697+naveensrinivasan@users.noreply.github.com
fix: relative path name (#2675)
fix: relative path name (#2675)
Fix relative path names when reading the file list from stdin.
fix: add configuration for git commit messages (#2674)
fix: add configuration for git commit messages (#2674)
Documentation
Maintenance
ci: Set permissions for GitHub actions (#2662)
ci: Set permissions for GitHub actions (#2662)
Based upon #2661
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
- https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Signed-off-by: naveensrinivasan 172697+naveensrinivasan@users.noreply.github.com