Skip to content

🐛 Fix Code-Review check for projects using Reviewed-by in commit messages#4984

Open
LoveChauhan-18 wants to merge 3 commits intoossf:mainfrom
LoveChauhan-18:fix/issue-4730
Open

🐛 Fix Code-Review check for projects using Reviewed-by in commit messages#4984
LoveChauhan-18 wants to merge 3 commits intoossf:mainfrom
LoveChauhan-18:fix/issue-4730

Conversation

@LoveChauhan-18
Copy link
Copy Markdown

@LoveChauhan-18 LoveChauhan-18 commented Mar 27, 2026

What kind of change does this PR introduce?

(Bug fix)

What is the current behavior?

The Code-Review check incorrectly marks commits as unreviewed for projects (like openssl/openssl) that perform local merges and direct pushes, bypassing standard GitHub PR associations.

What is the new behavior (if this is a feature change)?**

The Code-Review check now recognizes Reviewed-by: signatures directly in git commit messages. It extracts the reviewer identities using regex and maps them to standard Review objects, which are then evaluated by the codeApproved probe. This includes association mapping to prevent self-approval vulnerabilities.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4730

Special notes for your reviewer

I have updated the checks.yaml metadata and regenerated the checks.md documentation to ensure the new capability is documented.

Does this PR introduce a user-facing change?

Yes.

:bug: Improved Code-Review check to recognize `Reviewed-by:` statements in commit messages, supporting projects that perform local merges.

@LoveChauhan-18
fix(checker): add committer fields to dangerous workflow checked cont…
105346e 
…exts

Signed-off-by: Love Kumar Chauhan <lovechauhan6564@gmail.com>
@LoveChauhan-18
fix(github): handle 422 search errors in Dependency-Update-Tool
3eeea43 
The GitHub Search API can return a 422 Validation Failed error for
public repositories that are not yet indexed. This was causing an
internal error in Scorecard's Dependency-Update-Tool check.

This fix catches the 422 error and returns an empty list of commits,
allowing the check to proceed without a hard failure.

Fixes ossf#4352

Signed-off-by: Love Kumar Chauhan <lovechauhan6564@gmail.com>
@LoveChauhan-18
🐛 Fix Code-Review check for projects using Reviewed-by in commit mess…
e7f8256 
…ages

Signed-off-by: Love Kumar Chauhan <lovechauhan6564@gmail.com>
@LoveChauhan-18 LoveChauhan-18 requested a review from a team as a code owner March 27, 2026 07:23
@LoveChauhan-18 LoveChauhan-18 requested review from AdamKorcz and jeffmendoza and removed request for a team March 27, 2026 07:23
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

@AdamKorcz AdamKorcz Awaiting requested review from AdamKorcz AdamKorcz is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BUG: Code-Review check inaccurate for at least one project

1 participant

@LoveChauhan-18