-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Support Nuget Pinned Dependency with RestoreLockedMode attribute #4351
Merged
spencerschrock
merged 23 commits into
ossf:main
from
balteravishay:support-restorelockedmode
Oct 3, 2024
Merged
✨ Support Nuget Pinned Dependency with RestoreLockedMode attribute #4351
spencerschrock
merged 23 commits into
ossf:main
from
balteravishay:support-restorelockedmode
Oct 3, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
balteravishay
had a problem deploying
to
gitlab
September 18, 2024 12:50 — with
GitHub Actions
Failure
balteravishay
had a problem deploying
to
integration-test
September 18, 2024 12:50 — with
GitHub Actions
Failure
balteravishay
temporarily deployed
to
gitlab
September 18, 2024 13:23 — with
GitHub Actions
Inactive
balteravishay
force-pushed
the
support-restorelockedmode
branch
from
September 18, 2024 13:23
7d30eeb
to
c50d2b8
Compare
balteravishay
temporarily deployed
to
gitlab
September 18, 2024 13:24 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
September 18, 2024 13:24 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
gitlab
September 18, 2024 13:50 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
September 18, 2024 13:50 — with
GitHub Actions
Inactive
balteravishay
requested review from
justaugustus and
spencerschrock
and removed request for
a team
September 18, 2024 13:50
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a full review, just wanted to tackle a question around the approach.
balteravishay
had a problem deploying
to
gitlab
September 19, 2024 09:10 — with
GitHub Actions
Failure
balteravishay
had a problem deploying
to
integration-test
September 19, 2024 09:10 — with
GitHub Actions
Failure
balteravishay
temporarily deployed
to
gitlab
September 19, 2024 11:45 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
September 19, 2024 11:45 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
gitlab
September 27, 2024 13:44 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
September 27, 2024 13:44 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
gitlab
September 29, 2024 20:45 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
September 29, 2024 20:45 — with
GitHub Actions
Inactive
balteravishay
force-pushed
the
support-restorelockedmode
branch
from
September 29, 2024 20:45
1d68b81
to
d1bbb7b
Compare
here are a number of repos to test this change on:
|
balteravishay
temporarily deployed
to
gitlab
September 29, 2024 20:59 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
September 29, 2024 20:59 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
gitlab
September 29, 2024 20:59 — with
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
September 29, 2024 21:00 — with
GitHub Actions
Inactive
Signed-off-by: balteraivshay <[email protected]> Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
…#4317) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
…4343) Signed-off-by: balteraivshay <[email protected]>
…sf#4356) Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
Signed-off-by: balteraivshay <[email protected]>
balteravishay
force-pushed
the
support-restorelockedmode
branch
from
October 3, 2024 16:16
d092c5e
to
c5ac83f
Compare
balteravishay
temporarily deployed
to
integration-test
October 3, 2024 16:17 — with
GitHub Actions
Inactive
/scdiff generate Pinned-Dependencies |
spencerschrock
temporarily deployed
to
integration-test
October 3, 2024 19:28 — with
GitHub Actions
Inactive
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Support pinning dependency in .NET using lockfile by declaring the RestoreLockedMode attribute in csproj
What is the current behavior?
checking for nuget pinned dependency attributes only CLI locked mode flags (i.e. --locked-mode) and if not found the score is 0.
What is the new behavior (if this is a feature change)?**
if nuget cli command found that is not locked with the CLI flag, a post-processing method checks for csproj files in the repo and scores according to the number of them that are declaring RestoreLockedMode attribute set to true.
Which issue(s) this PR fixes
Fixes #4251
Special notes for your reviewer
This implementation for this fix, using post processing method, was discussed with @spencerschrock in the Scorecard community call.
There is an upcoming PR that will compliment the behaviour by adding support for Central Package Management that will also be performing post processing to look for another file type (Directory.Packages.props) where this feature is enabled.
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)