v0.7.0

Bump mszostok/codeowners-validator from 0.7.1 to 0.7.2 @dependabot (#8)

Bumps mszostok/codeowners-validator from 0.7.1 to 0.7.2.

Release notes

Sourced from mszostok/codeowners-validator's releases.

v0.7.2

🎉 GitHub Codeowners Validator 0.7.2 is now available!

Highlights

🔧 Bug Fixes

• Handle internal err, return issue with empty codeowners or git dirty state (#130) This fixes a tech debt where codeowners-validator only logged the internal error and excited with 0 status code. Now, if there is any error, a proper exit code is returned.
• Allow comments in pattern line, update golangci-lint (#129) (@​mszostok) Recently, GitHub allowed comments in CODEOWNERS files to appear at the end of a line, not just on their own line. As a result, a validation rule was removed to conform with a new syntax.

✨ New checks

• Add a flag to only allow teams as owners (#127) (@​seveas) Now you can enable more strict rule and specify that only teams are allowed as owners of files.

🛡️ Security

• Bump dependencies (#135) (@​mszostok)
• Bump alpine from 3.15.3 to 3.15.4 (#136) (@​dependabot[bot])

Installation

See the Installation section for more installation options.

Docker images

ghcr.io:

• docker pull ghcr.io/mszostok/codeowners-validator:stable
• docker pull ghcr.io/mszostok/codeowners-validator:v0
• docker pull ghcr.io/mszostok/codeowners-validator:v0.7
• docker pull ghcr.io/mszostok/codeowners-validator:v0.7.2

Changelog 🚀

• d95ed833d4bbe7104c26d7556c1d16fa1c6eb30d: Allow comments in pattern line, update golangci-lint (#129) (@​mszostok)
• d7b92b1871fdd533618070bdae1f2766f7e7f084: Handle internal err, return issue with empty codeowners or git dirty state (#130) (@​mszostok)
• bcdcc57e49ba8b45f4472cbafa09bacae9406ca6: Bump dependencies (#135) (@​mszostok)
• 3315c00578ee987f3bec23ff9307497a42f78018: Add a flag to only allow teams as owners (#127) (@​seveas)
• 5b87d6b1f38cb77eacab087071d57e25f2f22f8f: Add missing cfg in action.yml, add missing test for 'OwnersMustBeTeams' check (#137) (@​mszostok)
• 127e9a865f2cf1ea64a5780de53ace3015033540: Bump alpine from 3.15.3 to 3.15.4 (#136) (@​dependabot[bot])
• f555ba682ec613249e7e478a4e0bff3ba35dc79f: Prepare for release v0.7.2 (#138) (@​mszostok)

Commits

• f555ba6 Prepare for release v0.7.2 (#138)
• 127e9a8 Bump alpine from 3.15.3 to 3.15.4 (#136)
• 5b87d6b Add missing cfg in action.yml, add missing test for 'OwnersMustBeTeams' check...
• 3315c00 Add a flag to only allow teams as owners (#127)
• bcdcc57 Bump dependencies (#135)
• d7b92b1 Handle internal err, return issue with empty codeowners or git dirty state (#...
• d95ed83 Allow comments in pattern line, update golangci-lint (#129)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

v0.6.0

chore: update to use GitHub Secrets @jbouse (#7)

what

• Update to use GitHub Secrets instead of Hashicorp vault

why

• Vault server offline

v0.5.0

Bump actions/checkout from 2 to 3 @dependabot (#5)

Bumps actions/checkout from 2 to 3.

Release notes

Sourced from actions/checkout's releases.

v3.0.0

• Update default runtime to node16

v2.4.0

• Convert SSH URLs like org-<ORG_ID>@github.com: to https://github.com/ - pr

v2.3.5

Update dependencies

v2.3.4

• Add missing awaits
• Swap to Environment Files

v2.3.3

• Remove Unneeded commit information from build logs
• Add Licensed to verify third party dependencies

v2.3.2

Add Third Party License Information to Dist Files

v2.3.1

Fix default branch resolution for .wiki and when using SSH

v2.3.0

Fallback to the default branch

v2.2.0

Fetch all history for all tags and branches when fetch-depth=0

v2.1.1

Changes to support GHES (here and here)

v2.1.0

• Group output
• Changes to support GHES alpha release
• Persist core.sshCommand for submodules
• Add support ssh
• Convert submodule SSH URL to HTTPS, when not using SSH
• Add submodule support
• Follow proxy settings
• Fix ref for pr closed event when a pr is merged
• Fix issue checking detached when git less than 2.22

Changelog

Sourced from actions/checkout's changelog.

Changelog

v2.3.1

• Fix default branch resolution for .wiki and when using SSH

v2.3.0

• Fallback to the default branch

v2.2.0

• Fetch all history for all tags and branches when fetch-depth=0

v2.1.1

• Changes to support GHES (here and here)

v2.1.0

• Group output
• Changes to support GHES alpha release
• Persist core.sshCommand for submodules
• Add support ssh
• Convert submodule SSH URL to HTTPS, when not using SSH
• Add submodule support
• Follow proxy settings
• Fix ref for pr closed event when a pr is merged
• Fix issue checking detached when git less than 2.22

v2.0.0

• Do not pass cred on command line
• Add input persist-credentials
• Fallback to REST API to download repo

Commits

• a12a394 update readme for v3 (#708)
• 8f9e05e Update to node 16 (#689)
• 230611d Change secret name for PAT to not start with GITHUB_ (#623)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

chore: Update workflows to use secrets from vault @jbouse (#6)

what

• Update workflows to use Hashicorp Vault secrets

why

• All secrets to interact with GitHub app for repository token are in Vault

v0.4.0

Correct outputs if enabled is false @jbouse (#4)

what

• Fix module outputs if enabled is false

why

• Module errored out if enabled was set to false

v0.3.0

Bump mszostok/codeowners-validator from 0.6.0 to 0.7.1 @dependabot (#3)

Bumps mszostok/codeowners-validator from 0.6.0 to 0.7.1.

Release notes

Sourced from mszostok/codeowners-validator's releases.

v0.7.1

🔧 Bug fix release for 0.7.0 is now available!

Issue

Reports Team does not belong to organization error even if team is assigned to a proper GitHub organization. (mszostok/codeowners-validator#121)

Root cause

This was a side effect of mszostok/codeowners-validator#78 where not only team was normalized. Unfortunately, it was not detected by the integration test, as I used only the gh-codeowners organization. As you can see, it's all lower-case.

To reproduce the problem, I created a new organization GitHubCODEOWNERS and executed the v0.7 against it and ran into the same problem: https://github.com/GitHubCODEOWNERS/codeowners-samples/runs/5173200010?check_suite_focus=true

I tested that further to check whether GitHub also is case-insensitive for Organization names:

• CODEOWNERS: https://github.com/GitHubCODEOWNERS/codeowners-samples/blob/happy-path/CODEOWNERS#L10-L11
• Example PR: GitHubCODEOWNERS/codeowners-samples#1 As you can see, code owners were properly assigned.

Corrective and Preventative Measures

To fix that problem, I created this PR: mszostok/codeowners-validator#122 and tested also against a newly created organization: https://github.com/GitHubCODEOWNERS/codeowners-samples/runs/5173279973?check_suite_focus=true

I also added new integration tests against new GitHubCODEOWNERS organization to ensure no regression in the future.

Additional Corrective and Preventative Measures

In this case it's a bit of revers engineering as I don't have access to GitHub code which is responsible for assigning owners. As a result, I will need to create yet another e2e test that will be executed periodically to:

• Create a sample PR against files where @GiTHubCodeOwners/A-TeAm is specified and check whether GitHub is still case-insensitive and assigns @GitHubCodeowners/a-team properly.

In this way, I will be notified when GitHub will change its behavior and I will be able to release a new version that will match a changed functionality.

Changelog

Please see: https://github.com/mszostok/codeowners-validator/releases/tag/v0.7.0

v0.7.0

🎉 GitHub Codeowners Validator 0.7.0 is now available!

Highlights

🔧 Bug Fixes

• Normalize team name before comparison (#78) (@​mszostok) GitHub is case-insensitive when assigning owners for a review. To match this approach now owners are normalized before checking if they exist under a given GitHub organization.
• Allow unowned patterns by default with an option to change it (#113) (@​mszostok) GitHub allows you to define a pattern and left its owners empty. For example:

  /apps/ @octocat
  /apps/github 
  

  In version 0.6 this was reported as error (Missing owner, at least one owner is required). In this release, this check was moved under owner checker and made optional. As a result, validator may work in a picky mode when needed, see new option:

... (truncated)

Commits

• 2f478ec Prepare for release v0.7.1 (#123)
• a4545a8 Make the org comparison case-insensitive too (#122)
• 6bf04a9 Add login to Docker Hub
• 623a681 Remove upx-3.96-amd64_linux.tar.xz archive before goreleaser execution
• a74f7fa Fix tar expression
• 5136b12 Ensure that git is not in dirty state after upx download
• c4754a1 Adjust docs and GitHub action for v0.7.0 release (#120)
• dcfa851 Update goreleaser, add release GitHub Action
• 0e709b4 Changed belongs to belong in error message, add integration tests(#108)
• e933870 Fix spelling of brand GitHub (#106)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @jbouse.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

v0.2.0

Bump mszostok/codeowners-validator from 0.5.0 to 0.6.0 @dependabot (#2)

Bumps mszostok/codeowners-validator from 0.5.0 to 0.6.0.

Release notes

Sourced from mszostok/codeowners-validator's releases.

v0.6.0

🚨GitHub Codeowners Validator 0.6.0 is now available!

Highlights

• ✨ Add validation for checking if team has a proper permission Due to the new permission validation step in Owners Checker, this check takes a little more time.

• 🐛 Fix bug in Owners Checker. Now Owners Checker supports child teams with inherited repo perms.

• ⚠️ Error message was changed in Owners Checker.

  # From
  [err] line 15: Team "avengers" does not have permissions associated with the repository "codeowners-samples".
  To
  [err] line 15: Team "avengers" does not exist in organization "gh-codeowners" or has no permissions associated with the repository.
  

Installation

To install the codeowners-validator, run:

# Install codeowners-validator in /usr/local/bin in version 0.6.0
curl -sfL https://raw.githubusercontent.com/mszostok/codeowners-validator/master/install.sh| sh -s -- -b /usr/local/bin v0.6.0

See the Installation section for more installation options.

Docker images

• docker pull mszostok/codeowners-validator:latest
• docker pull mszostok/codeowners-validator:v0.6.0
• docker pull mszostok/codeowners-validator:v0.6

Changelog 🚀

8fafb0b Adjust docs and GitHub action for v0.6.0 release 2f6e3bb Fix badly worded error (#64) 5ed7b98 Adjust integration test after changing error message 204640e address comments from PR #62 9224144 Add permissions check to valid_owner cde24ed Add a twitter badge e5e11b0 rename test to comply with golang.org/x/mod/module.CheckFilePath (#60)

Contributors

Thanks again to everyone who contributed to this release! ✨

... (truncated)

Commits

• 2f6e3bb Fix badly worded error (#64)
• 8fafb0b Adjust docs and GitHub action for v0.6.0 release
• 5ed7b98 Adjust integration test after changing error message
• 204640e address comments from PR #62
• 9224144 Add permissions check to valid_owner
• cde24ed Add a twitter badge
• e5e11b0 rename test to comply with golang.org/x/mod/module.CheckFilePath (#60)
• 085f270 Adjust docs and GitHub action for v0.5.1 release
• d6bdfac Add CONTRIBUTING.md and development.md (#56)
• 4f46df1 Add configurability for the list of ignored owners (#55)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @jbouse.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

v0.1.1

🐛 Bug Fixes

Devel @jbouse (#1)

what

• maintenance

why

• Getting module into workable state

0,1,0

Initial module release