Skip to content

use release and tag APIs to enhance imposter commit verification #682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 24, 2025
Merged

use release and tag APIs to enhance imposter commit verification #682

merged 6 commits into from
Oct 24, 2025

Conversation

@spencerschrock
Copy link
Member

@spencerschrock spencerschrock commented Sep 24, 2024

This PR does a few things, and is grouped by commit to make review easier. Ignoring the file moves, this PR is closer to +227 -48 in size, which is hopefully more manageable.

bump GitHub library to v65

This is just a simple dependency bump since dependabot doesn't handle Go major versions.

move githubVerifier to its own file

Just a 1:1 movement to keep the files organized

define a commit type

Just switched some arguments to a struct, which isn't too important but helps the next commit which requires storing owner/repo/sha values in a map.

use release and tag APIs to enhance imposter commit verification

The old verification process assumed a commit was always in the default
branch, or came from a select number of hardcoded release branches. This
was error prone whenever new releases branches were used by some of the
actions we check. (see ossf/scorecard-action#1367 (comment))

The commit verification workflow now uses dynamic data to determine
which branches to check. The steps are now:

  1. Check if the commit is one of the latest 100 tags, which should be
    the most common case.
  2. Check the default branch.
  3. Check branches associated with the most recent releases. This removes
    the hardcoded checks and should require fewer updates in the future.

Note

github/codeql-action required some special logic as their releases are all tagged from main, even though the tags come from different release branches. Handling this required parsing GitHub action semantic versions, which I used golang.org/x/mod/semver for.

Package semver implements comparison of semantic version strings. In this package, semantic version strings must begin with a leading "v", as in "v1.0.0".
...
This package follows Semantic Versioning 2.0.0 (see semver.org) with two exceptions. First, it requires the "v" prefix. Second, it recognizes vMAJOR and vMAJOR.MINOR (with no prerelease or build suffixes) as shorthands for vMAJOR.0.0 and vMAJOR.MINOR.0.

Both of these assumptions currently match the versioning used by the codeql-action, so the fact that this is a go.mod parsing package shouldn't matter (but feel free to comment if you disagree).

@spencerschrock
bump GitHub library to v65
031417a 
Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock
move githubVerifier to its own file
5b52898 
Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock
define a commit type
2f11571 
this helps us use a map later.

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock
use release and tag APIs to enhance imposter commit verification
c67d706 
The old verification process assumed a commit was always in the default
branch, or came from a select number of hardcoded release branches. This
was error prone whenever new releases branches were used by some of the
actions we check.

The commit verification workflow now uses dynamic data to determine
which branches to check. The steps are now:
1. Check if the commit is one of the latest 100 tags, which should be
   the most common case.
2. Check the default branch (unchanged from before).
3. Check branches associated with the most recent releases. This removes
   the hardcoded checks and should require fewer updates in the future.

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock spencerschrock requested review from a team, naveensrinivasan and raghavkaul and removed request for a team September 24, 2024 21:27
@netlify
Copy link

netlify bot commented Sep 24, 2024
edited
Loading

Deploy Preview for ossf-scorecard canceled.

Name Link
🔨 Latest commit c67d706
🔍 Latest deploy log https://app.netlify.com/sites/ossf-scorecard/deploys/66f32ee217796300084c0a9a

@spencerschrock spencerschrock mentioned this pull request Sep 24, 2024
Closed
@spencerschrock spencerschrock mentioned this pull request Oct 15, 2025
Merged
@justaugustus justaugustus requested review from AdamKorcz, jeffmendoza and justaugustus and removed request for naveensrinivasan and raghavkaul October 17, 2025 19:03
AdamKorcz
AdamKorcz reviewed Oct 20, 2025
View reviewed changes
AdamKorcz
AdamKorcz reviewed Oct 20, 2025
View reviewed changes
AdamKorcz
AdamKorcz reviewed Oct 20, 2025
View reviewed changes
Copy link

@AdamKorcz AdamKorcz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of questions/comments

@spencerschrock spencerschrock requested a review from a team as a code owner October 20, 2025 20:26
@netlify
Copy link

netlify bot commented Oct 20, 2025
edited
Loading

Deploy Preview for ossf-scorecard canceled.

Name Link
🔨 Latest commit 896fd57
🔍 Latest deploy log https://app.netlify.com/projects/ossf-scorecard/deploys/68f69af91fa70e000825ed8e

@spencerschrock spencerschrock merged commit 79413f3 into ossf:main Oct 24, 2025
11 checks passed
@spencerschrock spencerschrock deleted the auto-branch-find branch October 24, 2025 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdamKorcz AdamKorcz AdamKorcz approved these changes

@justaugustus justaugustus Awaiting requested review from justaugustus

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spencerschrock @AdamKorcz