Export-ignore testdata for Scorecard archives#221
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughMoves the Changestestdata export-ignore migration
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Bomly Diff SummaryCompared Overview
Dependency Changes✅ No dependency changes. Vulnerabilities✅ No vulnerability changes. License Changes✅ No license changes. Project Posture✅ No project posture changes ( Policy Findings✅ No policy differences were identified. |
Summary
.gitattributesexport-ignorerule for**/testdata/**.gitignoretestdata workaround so fixture changes can be committed normallyWhy
The previous
.gitignorechange did not clear the OpenSSF Scorecard vulnerability finding because the Scorecard workflow runs the action in GitHub repository/archive mode. In that mode, Scorecard scans the exported archive rather than a normal checkout that honors.gitignoreduring recursive scanner walks.Git archive generation does honor
.gitattributesexport-ignore, so this keeps committed fixture data out of the archive that Scorecard scans while preserving normal developer workflows for adding or editing test fixtures.Validation
git check-attr export-ignore -- internal/detectors/node/testdata/lockfiles/pnpm-v5/pnpm-lock.yaml internal/detectors/ruby/testdata/project/Gemfile.lock test/smoke/testdata/sboms/js.spdx.jsongit archive --worktree-attributes HEADextracted to a temp directory and confirmed0files under*/testdata/*osv-scanner --skip-git -rover the exported archive reported0non-Go-stdlib vulnerabilities after filtering the vulnerabilities Scorecard filtersmake testSummary by CodeRabbit
testdata/are excluded from release exports.testdata/from local workspace tracking.