ppkarwasz opened a new pull request, #700: URL: https://github.com/apache/commons-parent/pull/700
Similar to #699, adds a reusable Scorecard analysis workflow and refactors `scorecards-analysis.yml` to call it. Unlike the CodeQL workflow, which only relies on actions from GitHub-owned organisations (`github` and `actions`), this one uses a third-party action (`ossf/scorecard-action`) that needs to be upgraded in a timely manner. The usual process is: 1. A new version of the action is released. 2. The action is reviewed in `infrastructure-actions` and the new SHA is added to the authorized ones. 3. The old SHA is scheduled for removal. We need to perform the upgrade between steps 2 and 3, so we should configure Dependabot to bump this action weekly with a 7-day cooldown (step 2 occurs within 7 days of a new release). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
