Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.github: Initial config for CodeQL & Scorecard #2441

Merged
merged 1 commit into from
Feb 21, 2022
Merged

.github: Initial config for CodeQL & Scorecard #2441

merged 1 commit into from
Feb 21, 2022

Conversation

justaugustus
Copy link
Member

@justaugustus justaugustus commented Feb 21, 2022
edited
Loading

What type of PR is this?

/kind feature
/area dependency release-eng/security

What this PR does / why we need it:

.github: Initial config for CodeQL & Scorecard

Security scanning is cool, so let's do it!

Signed-off-by: Stephen Augustus [email protected]

/assign @puerco @cpanato @saschagrunert
cc: @kubernetes/release-engineering

Which issue(s) this PR fixes:

Special notes for your reviewer:

This will probably take a few iterations to get right, but let's get the initial config in and iterate.

@kubernetes/sig-release-admins -- A token has been generated for @k8s-release-robot per the following instructions, added to our 1Password vault, and added to k/release as a repo secret:

  • Name: scorecard-read-2022-02-21
  • Expiration: No expiration
  • Scopes:
    • repo --> public_repo
    • admin:org --> read:org
    • admin:repo_hook --> read:repo_hook
    • write:discussion --> read:discussion

Does this PR introduce a user-facing change?

.github: Initial config for CodeQL & Scorecard

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 21, 2022
@k8s-ci-robot k8s-ci-robot added area/dependency Issues or PRs related to dependency changes area/release-eng/security Issues or PRs related to release engineering security release-note Denotes a PR that will be considered when it comes time to generate release notes. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 21, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justaugustus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the area/release-eng Issues or PRs related to the Release Engineering subproject label Feb 21, 2022
@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Feb 21, 2022
@puerco
Copy link
Member

puerco commented Feb 21, 2022

/test pull-release-integration-test

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 21, 2022
@JamesLaverack
Copy link
Member

/hold for releng to take a look?

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 21, 2022
@justaugustus
Copy link
Member Author

/hold for releng to take a look?

/hold cancel
(@puerco is a Tech Lead :))

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 21, 2022
@puerco
Copy link
Member

puerco commented Feb 21, 2022

/lgtm (I was just waiting for the tests to finish :)

@k8s-ci-robot k8s-ci-robot merged commit c231802 into kubernetes:master Feb 21, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Feb 21, 2022
@justaugustus justaugustus mentioned this pull request Feb 21, 2022
Merged
cpanato
cpanato reviewed Feb 22, 2022
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

late lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato left review comments

@JamesLaverack JamesLaverack JamesLaverack left review comments

@csantanapr csantanapr csantanapr left review comments

@mkorbi mkorbi Awaiting requested review from mkorbi

@sethmccombs sethmccombs Awaiting requested review from sethmccombs

Assignees

@saschagrunert saschagrunert

@JamesLaverack JamesLaverack

@puerco puerco

@cpanato cpanato

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/release-eng/security Issues or PRs related to release engineering security area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.
7 participants
@justaugustus @k8s-ci-robot @puerco @JamesLaverack @csantanapr @cpanato @saschagrunert