KEMBAR78
🐛 include workflow uses when checking for unpinned dependencies by AdamKorcz · Pull Request #4681 · ossf/scorecard · GitHub
Skip to content

Conversation

AdamKorcz
Copy link
Contributor

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

Currently the pinned dependencies check only checks for Uses: in steps.

More details in #2174 (comment).

What is the new behavior (if this is a feature change)?**

Also check job uses for unpinned dependencies.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #2174

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Check for unpinned dependencies in workflow jobs.

Signed-off-by: Adam Korczynski <adam@adalogics.com>
@AdamKorcz AdamKorcz requested a review from a team as a code owner June 27, 2025 11:35
@AdamKorcz AdamKorcz requested review from justaugustus and spencerschrock and removed request for a team June 27, 2025 11:35
@AdamKorcz AdamKorcz temporarily deployed to integration-test June 27, 2025 11:35 — with GitHub Actions Inactive
Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@codecov
Copy link

codecov bot commented Jun 27, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.30%. Comparing base (353ed60) to head (4e9dd12).
Report is 192 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4681      +/-   ##
==========================================
+ Coverage   66.80%   68.30%   +1.50%     
==========================================
  Files         230      249      +19     
  Lines       16602    18898    +2296     
==========================================
+ Hits        11091    12909    +1818     
- Misses       4808     5130     +322     
- Partials      703      859     +156     
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@spencerschrock
Copy link
Member

/scdiff generate Pinned-Dependencies

@github-actions
Copy link

@spencerschrock spencerschrock enabled auto-merge (squash) June 30, 2025 17:14
@spencerschrock spencerschrock merged commit a1a0cb2 into ossf:main Jun 30, 2025
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

Scorecard doesn't penalize unpinned reusable workflows in "Pinned-Dependencies" check

2 participants