Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(github): Use regular CLI steps in scorecards workflow #1723

Merged
merged 1 commit into from
Jan 10, 2025
Merged

feat(github): Use regular CLI steps in scorecards workflow #1723

merged 1 commit into from
Jan 10, 2025

Conversation

javirln
Copy link
Member

@javirln javirln commented Jan 10, 2025
edited
Loading

This patch removes all code related to chainloop labs and use plain CLI commands to run the scorecards workflow.

A successful workflow can be found here: https://github.com/chainloop-dev/chainloop/actions/runs/12709541017/job/35428753447?pr=1723

Close #1721

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 10, 2025
View reviewed changes
.github/workflows/scorecards.yml

- name: Install Chainloop
run: |
curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s

Check warning

Code scanning / Scorecard

Pinned-Dependencies

score is 7: downloadThenRun not pinned by hash Click Remediation section below to solve this issue
@javirln javirln requested a review from migmartri January 10, 2025 12:31
@javirln javirln self-assigned this Jan 10, 2025
@javirln javirln requested a review from jiparis January 10, 2025 12:31
@javirln javirln marked this pull request as ready for review January 10, 2025 12:32
migmartri
migmartri approved these changes Jan 10, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

.github/workflows/scorecards.yml Outdated

steps:
- name: Install Cosign
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need cosign anymore? This is to verify signature of the installed chainloop correct?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we can remove it!

.github/workflows/scorecards.yml Outdated
- name: Finish and Record Attestation
if: ${{ success() }}
run: |
chainloop attestation status --full
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to show status anymore, push will do it for you

@javirln javirln merged commit 497feb4 into main Jan 10, 2025
13 checks passed
@javirln javirln deleted the feat/1721 branch January 10, 2025 13:19
javirln added a commit that referenced this pull request Jan 10, 2025
@javirln
Revert "feat(github): Use regular CLI steps in scorecards workflow (#…
ad9d500 
…1723)"

This reverts commit 497feb4.
javirln added a commit that referenced this pull request Jan 10, 2025
@javirln
Revert 'feat(github): Use regular CLI steps in scorecards workflow (#…
a0a522d 
…1723)'

Signed-off-by: Javier Rodriguez <[email protected]>
javirln added a commit that referenced this pull request Jan 16, 2025
@javirln
Revert "feat(github): Use regular CLI steps in scorecards workflow (#…
73a2bce 
…1723)" (#1727)

Signed-off-by: Javier Rodriguez <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis Awaiting requested review from jiparis

Assignees

@javirln javirln

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Move scorecards workflow away from labs
2 participants
@javirln @migmartri