ossf · AdamKorcz · Jul 29, 2025
@@ -29,6 +29,7 @@ import (
 type RawResults struct {
 	BinaryArtifactResults       BinaryArtifactData
 	BranchProtectionResults     BranchProtectionsData
+	TagProtectionResults        TagProtectionsData
 	CIIBestPracticesResults     CIIBestPracticesData
 	CITestResults               CITestData
 	CodeReviewResults           CodeReviewData
@@ -332,7 +333,14 @@ type WebhooksData struct {
 // BranchProtectionsData contains the raw results
 // for the Branch-Protection check.
 type BranchProtectionsData struct {
-	Branches        []clients.BranchRef
+	Branches        []clients.RepoRef
+	CodeownersFiles []string
+}
+
+// TagProtectionsData contains the raw results
+// for the Tag-Protection check.
+type TagProtectionsData struct {
+	Tags            []clients.RepoRef
 	CodeownersFiles []string
 }
 

@@ -26,14 +26,14 @@ import (
 	scut "github.com/ossf/scorecard/v5/utests"
 )
 
-func getBranchName(branch *clients.BranchRef) string {
+func getBranchName(branch *clients.RepoRef) string {
 	if branch == nil || branch.Name == nil {
 		return ""
 	}
 	return *branch.Name
 }
 
-func getBranch(branches []*clients.BranchRef, name string, isNonAdmin bool) *clients.BranchRef {
+func getBranch(branches []*clients.RepoRef, name string, isNonAdmin bool) *clients.RepoRef {
 	for _, branch := range branches {
 		branchName := getBranchName(branch)
 		if branchName == name {
@@ -46,9 +46,9 @@ func getBranch(branches []*clients.BranchRef, name string, isNonAdmin bool) *cli
 	return nil
 }
 
-func scrubBranch(branch *clients.BranchRef) *clients.BranchRef {
+func scrubBranch(branch *clients.RepoRef) *clients.RepoRef {
 	ret := branch
-	ret.BranchProtectionRule = clients.BranchProtectionRule{}
+	ret.ProtectionRule = clients.ProtectionRule{}
 	return ret
 }
 
@@ -67,7 +67,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 	tests := []struct {
 		name          string
 		defaultBranch string
-		branches      []*clients.BranchRef
+		branches      []*clients.RepoRef
 		releases      []string
 		repoFiles     []string
 		expected      scut.TestReturn
@@ -83,10 +83,10 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				NumberOfDebug: 0,
 			},
 			defaultBranch: main,
-			branches: []*clients.BranchRef{
+			branches: []*clients.RepoRef{
 				{
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &trueVal,
@@ -106,7 +106,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				},
 				{
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &falseVal,
@@ -138,15 +138,15 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				NumberOfDebug: 0,
 			},
 			defaultBranch: main,
-			branches: []*clients.BranchRef{
+			branches: []*clients.RepoRef{
 				{
 					Name:      &rel1,
 					Protected: &falseVal,
 				},
 				{
 					Name:      &main,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &falseVal,
@@ -178,11 +178,11 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				NumberOfDebug: 0,
 			},
 			defaultBranch: main,
-			branches: []*clients.BranchRef{
+			branches: []*clients.RepoRef{
 				{
 					Name:      &main,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &trueVal,
@@ -204,7 +204,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				{
 					Name:      &rel1,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &falseVal,
@@ -236,11 +236,11 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				NumberOfDebug: 0,
 			},
 			defaultBranch: main,
-			branches: []*clients.BranchRef{
+			branches: []*clients.RepoRef{
 				{
 					Name:      &main,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &trueVal,
@@ -262,7 +262,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				{
 					Name:      &rel1,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &trueVal,
@@ -295,11 +295,11 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 			},
 			defaultBranch: main,
 			releases:      []string{sha},
-			branches: []*clients.BranchRef{
+			branches: []*clients.RepoRef{
 				{
 					Name:      &main,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &falseVal,
@@ -334,11 +334,11 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 			},
 			defaultBranch: main,
 			releases:      []string{""},
-			branches: []*clients.BranchRef{
+			branches: []*clients.RepoRef{
 				{
 					Name:      &main,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &falseVal,
@@ -371,11 +371,11 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 			defaultBranch: main,
 			// branches:      []*string{&rel1, &main},
 			releases: []string{rel1},
-			branches: []*clients.BranchRef{
+			branches: []*clients.RepoRef{
 				{
 					Name:      &main,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &trueVal,
@@ -386,7 +386,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				{
 					Name:      &rel1,
 					Protected: &trueVal,
-					BranchProtectionRule: clients.BranchProtectionRule{
+					ProtectionRule: clients.ProtectionRule{
 						CheckRules: clients.StatusChecksRule{
 							RequiresStatusChecks: &trueVal,
 							UpToDateBeforeMerge:  &trueVal,
@@ -405,7 +405,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 			ctrl := gomock.NewController(t)
 			mockRepoClient := mockrepo.NewMockRepoClient(ctrl)
 			mockRepoClient.EXPECT().GetDefaultBranch().
-				DoAndReturn(func() (*clients.BranchRef, error) {
+				DoAndReturn(func() (*clients.RepoRef, error) {
 					defaultBranch := getBranch(tt.branches, tt.defaultBranch, tt.nonadmin)
 					return defaultBranch, nil
 				}).AnyTimes()
@@ -420,7 +420,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 					return ret, nil
 				}).AnyTimes()
 			mockRepoClient.EXPECT().GetBranch(gomock.Any()).
-				DoAndReturn(func(b string) (*clients.BranchRef, error) {
+				DoAndReturn(func(b string) (*clients.RepoRef, error) {
 					return getBranch(tt.branches, b, tt.nonadmin), nil
 				}).AnyTimes()
 			mockRepoClient.EXPECT().ListFiles(gomock.Any()).AnyTimes().Return(tt.repoFiles, nil)

@@ -434,7 +434,7 @@ func TestGithubTokenPermissions(t *testing.T) {
 
 			main := "main"
 			mockRepo.EXPECT().URI().Return("github.com/ossf/scorecard").AnyTimes()
-			mockRepo.EXPECT().GetDefaultBranch().Return(&clients.BranchRef{Name: &main}, nil).AnyTimes()
+			mockRepo.EXPECT().GetDefaultBranch().Return(&clients.RepoRef{Name: &main}, nil).AnyTimes()
 			mockRepo.EXPECT().ListFiles(gomock.Any()).DoAndReturn(func(predicate func(string) (bool, error)) ([]string, error) {
 				files := []string{}
 				for _, fn := range tt.filenames {

@@ -31,10 +31,10 @@ var commit = regexp.MustCompile("^[a-f0-9]{40}$")
 
 type branchSet struct {
 	exists map[string]bool
-	set    []clients.BranchRef
+	set    []clients.RepoRef
 }
 
-func (set *branchSet) add(branch *clients.BranchRef) bool {
+func (set *branchSet) add(branch *clients.RepoRef) bool {
 	if branch != nil &&
 		branch.Name != nil &&
 		*branch.Name != "" &&

@@ -37,13 +37,13 @@ var (
 type branchArg struct {
 	err           error
 	name          string
-	branchRef     *clients.BranchRef
+	branchRef     *clients.RepoRef
 	defaultBranch bool
 }
 
 type branchesArg []branchArg
 
-func (ba branchesArg) getDefaultBranch() (*clients.BranchRef, error) {
+func (ba branchesArg) getDefaultBranch() (*clients.RepoRef, error) {
 	for _, branch := range ba {
 		if branch.defaultBranch {
 			return branch.branchRef, branch.err
@@ -52,7 +52,7 @@ func (ba branchesArg) getDefaultBranch() (*clients.BranchRef, error) {
 	return nil, nil
 }
 
-func (ba branchesArg) getBranch(b string) (*clients.BranchRef, error) {
+func (ba branchesArg) getBranch(b string) (*clients.RepoRef, error) {
 	for _, branch := range ba {
 		if branch.name == b {
 			return branch.branchRef, branch.err
@@ -104,13 +104,13 @@ func TestBranchProtection(t *testing.T) {
 				{
 					name:          defaultBranchName,
 					defaultBranch: true,
-					branchRef: &clients.BranchRef{
+					branchRef: &clients.RepoRef{
 						Name: &defaultBranchName,
 					},
 				},
 			},
 			want: checker.BranchProtectionsData{
-				Branches: []clients.BranchRef{
+				Branches: []clients.RepoRef{
 					{
 						Name: &defaultBranchName,
 					},
@@ -180,13 +180,13 @@ func TestBranchProtection(t *testing.T) {
 			branches: branchesArg{
 				{
 					name: releaseBranchName,
-					branchRef: &clients.BranchRef{
+					branchRef: &clients.RepoRef{
 						Name: &releaseBranchName,
 					},
 				},
 			},
 			want: checker.BranchProtectionsData{
-				Branches: []clients.BranchRef{
+				Branches: []clients.RepoRef{
 					{
 						Name: &releaseBranchName,
 					},
@@ -204,13 +204,13 @@ func TestBranchProtection(t *testing.T) {
 			branches: branchesArg{
 				{
 					name: mainBranchName,
-					branchRef: &clients.BranchRef{
+					branchRef: &clients.RepoRef{
 						Name: &mainBranchName,
 					},
 				},
 			},
 			want: checker.BranchProtectionsData{
-				Branches: []clients.BranchRef{
+				Branches: []clients.RepoRef{
 					{
 						Name: &mainBranchName,
 					},
@@ -229,19 +229,19 @@ func TestBranchProtection(t *testing.T) {
 				{
 					name:          defaultBranchName,
 					defaultBranch: true,
-					branchRef: &clients.BranchRef{
+					branchRef: &clients.RepoRef{
 						Name: &defaultBranchName,
 					},
 				},
 				{
 					name: releaseBranchName,
-					branchRef: &clients.BranchRef{
+					branchRef: &clients.RepoRef{
 						Name: &releaseBranchName,
 					},
 				},
 			},
 			want: checker.BranchProtectionsData{
-				Branches: []clients.BranchRef{
+				Branches: []clients.RepoRef{
 					{
 						Name: &defaultBranchName,
 					},
@@ -260,11 +260,11 @@ func TestBranchProtection(t *testing.T) {
 			ctrl := gomock.NewController(t)
 			mockRepoClient := mockrepo.NewMockRepoClient(ctrl)
 			mockRepoClient.EXPECT().GetDefaultBranch().
-				AnyTimes().DoAndReturn(func() (*clients.BranchRef, error) {
+				AnyTimes().DoAndReturn(func() (*clients.RepoRef, error) {
 				return tt.branches.getDefaultBranch()
 			})
 			mockRepoClient.EXPECT().GetBranch(gomock.Any()).AnyTimes().
-				DoAndReturn(func(branch string) (*clients.BranchRef, error) {
+				DoAndReturn(func(branch string) (*clients.RepoRef, error) {
 					return tt.branches.getBranch(branch)
 				})
 			mockRepoClient.EXPECT().ListReleases().AnyTimes().