Skip to content

Export-ignore testdata for Scorecard archives#221

Merged
bomly-guy merged 1 commit into
mainfrom
codex/export-ignore-testdata-scorecard
Jun 30, 2026
Merged

Export-ignore testdata for Scorecard archives#221
bomly-guy merged 1 commit into
mainfrom
codex/export-ignore-testdata-scorecard

Conversation

@bomly-guy

@bomly-guy bomly-guy commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • add a .gitattributes export-ignore rule for **/testdata/**
  • remove the .gitignore testdata workaround so fixture changes can be committed normally

Why

The previous .gitignore change did not clear the OpenSSF Scorecard vulnerability finding because the Scorecard workflow runs the action in GitHub repository/archive mode. In that mode, Scorecard scans the exported archive rather than a normal checkout that honors .gitignore during recursive scanner walks.

Git archive generation does honor .gitattributes export-ignore, so this keeps committed fixture data out of the archive that Scorecard scans while preserving normal developer workflows for adding or editing test fixtures.

Validation

  • git check-attr export-ignore -- internal/detectors/node/testdata/lockfiles/pnpm-v5/pnpm-lock.yaml internal/detectors/ruby/testdata/project/Gemfile.lock test/smoke/testdata/sboms/js.spdx.json
  • git archive --worktree-attributes HEAD extracted to a temp directory and confirmed 0 files under */testdata/*
  • osv-scanner --skip-git -r over the exported archive reported 0 non-Go-stdlib vulnerabilities after filtering the vulnerabilities Scorecard filters
  • make test

Summary by CodeRabbit

  • Chores
    • Updated archive/export settings so files under testdata/ are excluded from release exports.
    • Adjusted ignore rules to stop excluding testdata/ from local workspace tracking.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1841bd8b-9e68-4700-98be-44a9499fd5d1

📥 Commits

Reviewing files that changed from the base of the PR and between b8d988e and 3692038.

📒 Files selected for processing (2)
  • .gitattributes
  • .gitignore

📝 Walkthrough

Walkthrough

Moves the **/testdata/** exclusion from .gitignore to .gitattributes as an export-ignore rule, so testdata files are tracked by Git but excluded from git archive outputs.

Changes

testdata export-ignore migration

Layer / File(s) Summary
Move testdata exclusion to export-ignore
.gitattributes, .gitignore
Adds **/testdata/** export-ignore to .gitattributes and removes the now-redundant **/testdata/** ignore rule from .gitignore.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/export-ignore-testdata-scorecard

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@bomly-guy bomly-guy marked this pull request as ready for review June 30, 2026 07:02
@bomly-guy bomly-guy merged commit 62d961b into main Jun 30, 2026
12 checks passed
@bomly-guy bomly-guy deleted the codex/export-ignore-testdata-scorecard branch June 30, 2026 07:02
@github-actions

Copy link
Copy Markdown
Contributor

Bomly Diff Summary

Compared 9e7ce2e7e6a1e60e80f1ee942304cebbd613272f to 3692038ba612f420fdc6963c6149c7191c0dbd62.

Overview

Status Manifests Dependencies Findings Duration
✅ Pass +0 / ~0 / -0 +0 / ~0 / -0 0 introduced / 0 persisted / 0 resolved 1m 5s

Dependency Changes

✅ No dependency changes.

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (--matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant