Highlights
- Updated Scorecard to v5
- Renamed Scorecard policy name to "OpenSSF Scorecard" (previously "Security Scorecards")
- Updated other dependencies
Images
- ghcr.io/ossf/allstar:v4.2
- ghcr.io/ossf/allstar:v4.2-busybox
Notes on policy name change
- If running Allstar with the
-policycli option, you must specify the new "OpenSSF Scorecard" name to run that policy. - If interpreting structured logging, the
area:value now uses the "OpenSSF Scorecard" name for logs in that policy. - If interpreting the "EnforceAll complete." structured summary log, the
results:value will use the new "OpenSSF Scorecard" name for that policy.
Detailed changelog
- docs: Adopt OpenSSF Scorecard contributor ladder by @justaugustus in #519
- docs: Allstar is now a part of the OpenSSF Scorecard project by @justaugustus in #517
- .github: Add initial CODEOWNERS by @justaugustus in #527
- Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 in the go_modules group by @dependabot in #526
- Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.10.0 to 2.11.0 by @dependabot in #521
- Bump ko-build/setup-ko from 0.6 to 0.7 by @dependabot in #523
- Bump golangci/golangci-lint-action from 4 to 6 by @dependabot in #513
- Bump ossf/scorecard-action from 2.1.3 to 2.3.3 by @dependabot in #515
- Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 by @dependabot in #509
- Bump github.com/rs/zerolog from 1.32.0 to 1.33.0 by @dependabot in #516
- Bump github.com/rhysd/actionlint from 1.6.27 to 1.7.1 by @dependabot in #518
- [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #529
- Bump actions/setup-go from 4.0.1 to 5.0.1 by @dependabot in #532
- Bump actions/checkout from 4.1.1 to 4.1.7 by @dependabot in #531
- go.mod: Update Scorecard to v5.0.0-rc2 by @justaugustus in #534
- .github: Create codeql.yml by @justaugustus in #533
- Correct references to OpenSSF Scorecard by @justaugustus in #536
- Bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #538
- Bump actions/setup-go from 5.0.1 to 5.0.2 by @dependabot in #539
- Bump github/codeql-action from 3.25.11 to 3.25.12 by @dependabot in #541
- Bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @dependabot in #540
- Bump github/codeql-action from 3.25.12 to 3.25.13 by @dependabot in #543
- Bump github.com/ossf/scorecard/v5 from 5.0.0-rc2 to 5.0.0 by @dependabot in #544
New Contributors
- @step-security-bot made their first contribution in #529
Full Changelog: v4.1...v4.2
Contributors
justaugustus, dependabot, and step-security-bot