Merge branch 'master' into style/custom_dark_theme

another-rex · Aug 27, 2024 · d56e832 · d56e832
2 parents f051a3f + a81778d
commit d56e832
Show file tree

Hide file tree

Showing 126 changed files with 8,237 additions and 8,444 deletions.
diff --git a/.github/ISSUE_TEMPLATE/converted-nvd-cve-data-quality-report.md b/.github/ISSUE_TEMPLATE/converted-nvd-cve-data-quality-report.md
@@ -8,7 +8,9 @@ assignees: ''
 ---
 
 **The CVE ID**
-For convenience, link directly to the record in OSV.dev
+For convenience, link directly to the CVE record in OSV.dev.
+Please ensure it is indeed a **CVE** record. We see a lot of reports for GHSA
+records.
 
 **Describe the data quality issue observed**
 A clear and concise description of what the observed issue with the record is.

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -17,8 +17,6 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ master ]
-  merge_group:
-    branches: [ master ]
 
 
 permissions: {}

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -20,8 +20,6 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ master ]
-  merge_group:
-    branches: [ master ]
 
 permissions:
   contents: read
@@ -37,15 +35,15 @@ jobs:
         uses: actions/setup-python@v4
         with:
           python-version: '3.11'
-      - name: Install pipenv
-        run: pip install pipenv==2023.12.1
-      - name: Set up pipenv
-        run: pipenv verify && pipenv sync --dev
+      - name: Install poetry
+        run: pip install poetry==1.8.3
+      - name: Set up poetry
+        run: poetry install
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version: '>=1.22.5'
       - name: Set up terraform
         uses: hashicorp/setup-terraform@v2
       - name: Run pylint and yapf, go vet
-        run: pipenv run ./tools/lint_and_format.sh
+        run: poetry run ./tools/lint_and_format.sh
diff --git a/.github/workflows/osv-scanner-unified.yml b/.github/workflows/osv-scanner-unified.yml
@@ -17,8 +17,6 @@ name: OSV-Scanner
 on:
   pull_request:
     branches: ["master"]
-  merge_group:
-    branches: ["master"]
   schedule:
   - cron: "12 12 * * 1"
   push:

diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
@@ -0,0 +1,35 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: OSV PR format check
+
+on:
+  # `pull_request_target` is only required when editing PRs from forks.
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+
+permissions:
+  pull-requests: read
+
+jobs:
+  title-check:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/staleness.yml b/.github/workflows/staleness.yml
@@ -1,23 +1,38 @@
 name: "Close stale issues and PRs"
+
+permissions: read-all
+
 on:
   schedule:
-    - cron: "0 18 * * *"
+    - cron: "0 * * * *"
 
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v9
         with:
           days-before-stale: 60
           days-before-close: 14
-          stale-issue-label: stale
-          stale-pr-label: stale
+          operations-per-run: 100
           remove-stale-when-updated: true
           exempt-issue-labels: "good first issue,backlog"
           exempt-all-assignees: true
           ignore-updates: false
-          stale-issue-message: "This issue has not had any activity for 60 days and will be automatically closed in two weeks"
-          stale-pr-message: "This pull request has not had any activity for 60 days and will be automatically closed in two weeks"
-          close-issue-message: "Automatically closing stale issue"
-          close-pr-message: "Automatically closing stale pull request"
+          stale-issue-label: stale
+          stale-issue-message: |
+            This issue has not had any activity for 60 days and will be automatically closed in two weeks
+
+            See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.
+          stale-pr-label: stale
+          stale-pr-message: |
+            This pull request has not had any activity for 60 days and will be automatically closed in two weeks
+          close-issue-label: "autoclosed"
+          close-issue-message: |
+            Automatically closing stale issue
+          close-pr-label: "autoclosed"
+          close-pr-message: |
+            Automatically closing stale pull request
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -40,21 +40,20 @@ You must install:
 1.  [Yapf](https://github.com/google/yapf)
 1.  [Make](https://www.gnu.org/software/make/)
 1.  [Poetry](https://python-poetry.org/)
-1.  [Pipenv](https://pipenv.pypa.io/en/latest/)
-1.  [Google Cloud SDK](https://cloud.google.com/sdk)
-1.  [Hugo](https://gohugo.io/installation/)
-1.  [Node JS](https://nodejs.org/) >= 18.17.x
-1.  [Terraform](https://developer.hashicorp.com/terraform/downloads) >= 1.5 (for infrastructure changes)
+2.  [Google Cloud SDK](https://cloud.google.com/sdk)
+3.  [Hugo](https://gohugo.io/installation/)
+4.  [Node JS](https://nodejs.org/) >= 18.17.x
+5.  [Terraform](https://developer.hashicorp.com/terraform/downloads) >= 1.5 (for infrastructure changes)
 
 Then you can set up the development environment by cloning the OSV repo and
-installing the Pipfile dependencies.
+installing the Poetry dependencies.
 
 ```shell
 git clone https://github.com/google/osv.dev
 cd osv.dev
 git submodule update --init --recursive
-pipenv sync --dev
-pipenv shell
+poetry install
+poetry shell
 ```
 
 ### Running tests
@@ -131,6 +130,12 @@ gcloud auth login --update-adc
 make run-api-server
 ```
 
+### Making commits
+
+Please follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification for commit messages. This helps us to automate processes like changelog generation and ensures a clear and consistent commit history.
+
+Some types: `feat:`, `fix:`, `docs:`, `chore:`, `refactor:`, and others.
+
 ## Contributing data
 
 Data contributions are also welcome!

diff --git a/Makefile b/Makefile
@@ -12,14 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ifeq "$(USE_POETRY)" "true"
-	install-cmd := poetry install
-	run-cmd := poetry run
-else
-	install-cmd := pipenv verify && pipenv sync
-	run-cmd := pipenv run
-endif
-
+install-cmd := poetry install
+run-cmd := poetry run
 
 lib-tests:
 	./run_tests.sh

diff --git a/Pipfile b/Pipfile