From 215c2d6b2b2a392a23659eca2bc9cd75acabae1f Mon Sep 17 00:00:00 2001
From: Alex Nelson <alexander.nelson@nist.gov>
Date: Wed, 25 Oct 2023 08:42:25 -0400
Subject: [PATCH] Review pre-commit pinned versions as prerelease step

Because refreshing `pre-commit`'s pinned versions is the only supply
chain check for this repository, this patch also removes the nightly
supply chain review job.

Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
---
 .../{supply-chain.yml => prerelease.yml}      | 24 +++++++++++--------
 Makefile                                      |  1 +
 2 files changed, 15 insertions(+), 10 deletions(-)
 rename .github/workflows/{supply-chain.yml => prerelease.yml} (54%)

diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/prerelease.yml
similarity index 54%
rename from .github/workflows/supply-chain.yml
rename to .github/workflows/prerelease.yml
index f94d779..84bd75a 100644
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/prerelease.yml
@@ -1,22 +1,26 @@
+# Portions of this file contributed by NIST are governed by the following
+# statement:
+#
 # This software was developed at the National Institute of Standards
 # and Technology by employees of the Federal Government in the course
-# of their official duties. Pursuant to title 17 Section 105 of the
-# United States Code this software is not subject to copyright
-# protection and is in the public domain. NIST assumes no
-# responsibility whatsoever for its use by other parties, and makes
-# no guarantees, expressed or implied, about its quality,
-# reliability, or any other characteristic.
+# of their official duties. Pursuant to Title 17 Section 105 of the
+# United States Code, this software is not subject to copyright
+# protection within the United States. NIST assumes no responsibility
+# whatsoever for its use by other parties, and makes no guarantees,
+# expressed or implied, about its quality, reliability, or any other
+# characteristic.
 #
 # We would appreciate acknowledgement if the software is used.
 
 # This workflow uses Make to review direct dependencies of this
 # repository.
 
-name: Supply Chain
+name: Prerelease
 
 on:
-  schedule:
-    - cron: '15 5 * * 1,2,3,4,5'
+  pull_request:
+    branches:
+      - main
 
 jobs:
   build:
@@ -35,4 +39,4 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
     - name: Review dependencies
-      run: make check-supply-chain
+      run: make check-supply-chain-pre-commit
diff --git a/Makefile b/Makefile
index 98079f7..ca1c8f9 100644
--- a/Makefile
+++ b/Makefile
@@ -81,6 +81,7 @@ check: \
 check-supply-chain: \
   check-supply-chain-pre-commit
 
+# This target is scheduled to run as part of prerelease review.
 check-supply-chain-pre-commit: \
   .venv-pre-commit/var/.pre-commit-built.log
 	source .venv-pre-commit/bin/activate \