{"id":23171164,"url":"https://github.com/octue/check-semantic-version","last_synced_at":"2026-02-20T18:33:46.469Z","repository":{"id":64959703,"uuid":"545028085","full_name":"octue/check-semantic-version","owner":"octue","description":"A GitHub action to check that your package/lib version matches that calculated from Conventional Commits","archived":false,"fork":false,"pushed_at":"2025-02-25T13:25:52.000Z","size":281,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-17T22:47:17.334Z","etag":null,"topics":["commits","conventional","github-actions"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/octue.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-10-03T16:53:42.000Z","updated_at":"2025-02-25T13:24:38.000Z","dependencies_parsed_at":"2024-08-27T16:30:41.176Z","dependency_job_id":"01564252-abe2-4a05-811d-38b9748ca2e4","html_url":"https://github.com/octue/check-semantic-version","commit_stats":{"total_commits":61,"total_committers":1,"mean_commits":61.0,"dds":0.0,"last_synced_commit":"1129a8b8f8031f6c5c06c0d9756c454382ecf5b8"},"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/octue/check-semantic-version","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octue%2Fcheck-semantic-version","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octue%2Fcheck-semantic-version/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octue%2Fcheck-semantic-version/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octue%2Fcheck-semantic-version/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/octue","download_url":"https://codeload.github.com/octue/check-semantic-version/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octue%2Fcheck-semantic-version/sbom","scorecard":{"id":702304,"data":{"date":"2025-08-11","repo":{"name":"github.com/octue/check-semantic-version","commit":"93fabe3cf3c95fa2fa6fc0a6ea36ded0ddd76672"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.1,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/8 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: jobLevel 'contents' permission set to 'read': .github/workflows/update-pull-request.yml:21","Warn: no topLevel permission defined: .github/workflows/build-docker-image.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql.yml:1","Warn: no topLevel permission defined: .github/workflows/python-ci.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/update-pull-request.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-docker-image.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/build-docker-image.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-docker-image.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/build-docker-image.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-docker-image.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/build-docker-image.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/codeql.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/python-ci.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/python-ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-ci.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/python-ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/python-ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/python-ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/python-ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-pull-request.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/octue/check-semantic-version/update-pull-request.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:4: pin your Docker image by updating octue/check-semantic-version:1.0.0.beta-9 to octue/check-semantic-version:1.0.0.beta-9@sha256:7f2f4e38bdf518488f78a79efb808694dfd9be2661a6228788556426bcfee36e","Warn: downloadThenRun not pinned by hash: Dockerfile:9","Warn: pipCommand not pinned by hash: .github/workflows/python-ci.yml:38","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:34","Info:   0 out of  12 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   9 third-party GitHubAction dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build-docker-image.yml:15"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":8,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 12 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":4,"reason":"6 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-79v4-65xg-pq4g","Warn: Project is vulnerable to: GHSA-vqfr-h8mv-ghfj","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: PYSEC-2025-49 / GHSA-5rjg-fvgr-3xxf","Warn: Project is vulnerable to: GHSA-48p4-8xcf-vxj5","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T05:27:28.632Z","repository_id":64959703,"created_at":"2025-08-22T05:27:28.632Z","updated_at":"2025-08-22T05:27:28.632Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29660041,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-20T16:33:43.953Z","status":"ssl_error","status_checked_at":"2026-02-20T16:33:43.598Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["commits","conventional","github-actions"],"created_at":"2024-12-18T04:16:33.983Z","updated_at":"2026-02-20T18:33:46.453Z","avatar_url":"https://github.com/octue.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Release](https://github.com/octue/check-semantic-version/actions/workflows/release.yml/badge.svg)](https://github.com/octue/check-semantic-version/actions/workflows/release.yml)\n[![codecov](https://codecov.io/gh/octue/check-semantic-version/branch/main/graph/badge.svg?token=AL0I3UVUV2)](https://codecov.io/gh/octue/check-semantic-version)\n[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit\u0026logoColor=white)](https://github.com/pre-commit/pre-commit)\n[![black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/ambv/black)\n\n# Semantic version checker\n\nA GitHub action that automatically checks if a package's semantic version is correct based on the\n[Conventional Commit](https://www.conventionalcommits.org/en/) messages on the branch.\n\nIt supports the following version source files:\n\n- `setup.py`\n- `pyproject.toml`\n- `package.json`\n\n## Usage\n\nAdd the action as a step in your workflow:\n\n```yaml\nsteps:\n  - uses: actions/checkout@v3\n    with:\n      # Set fetch-depth to 0 to fetch all tags (necessary for `git-mkver` to determine the correct semantic version).\n      fetch-depth: 0\n  - uses: octue/check-semantic-version@1.0.6\n    with:\n      path: setup.py\n      breaking_change_indicated_by: major\n```\n\nSee [here](examples/workflow.yml) for an example in a workflow.\n\n## More information\n\n### How does it work?\n\nThe action compares the semantic version specified in the package's version source file (e.g. `setup.py`) against the\nexpected semantic version calculated by `git-mkver` from the Conventional Commits created since the last tagged version\nin the branch's git history. If the version source file and the expected version agree, the checker exits with a zero\nreturn code and displays a success message. If they don't agree, it exits with a non-zero return code and displays an\nerror message.\n\n### Version source files\n\nA version source file is one of the following, which must contain the package version:\n\n- `setup.py`\n- `pyproject.toml`\n- `package.json`\n\nIf the version source file is not in the root directory, an optional argument can be passed to the checker to tell it to\nlook at a file of the version source file type at a different location.\n\n### `mkver.conf` files\n\nThis action automatically generates a standard `mkver.conf` file to configure `git-mkver`. For more control, you can add\nyour own `mkver.conf` file to the repository root. Here are some example `mkver.conf` files:\n\n- [Non-beta packages](examples/mkver.conf) (full semantic versioning)\n- [Beta packages](examples/mkver-for-beta-versions.conf) (keeps the version below `1.0.0`)\n\n### Example\n\nFor [this standard configuration file](examples/mkver.conf), if the last tagged version in your\nrepository is `0.7.3` and since then:\n\n- There has been a breaking change and any number of features or bug-fixes/small-changes, the expected version will\n  be `1.0.0`\n- There has been a new feature, any number of bug-fixes/small-changes, but no breaking changes, the expected\n  version will be `0.8.0`\n- There has been a bug-fix/small-change but no breaking changes or new features, the expected version will be `0.7.4`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctue%2Fcheck-semantic-version","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foctue%2Fcheck-semantic-version","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctue%2Fcheck-semantic-version/lists"}