Thanks for merging!

@nitrocode I'm having trouble satisfying the code-review requirements for scorecard. Are you familiar with the algorithm used?

The issue is largely around bot-generated PRs and commits. Two examples:

• This dependency-update PR was generated by a bot. I reviewed and merged the PR. But the "Code Review" score for the project went down as a result.
• On each push to main, a workflow runs that runs npm and commits the output into the dist directory. Here's an example commit. Since this is an automated process, no review is performed and the bot commits the changes directly.

Is there a simple way I can change the process to satisfy the "code review" requirements, or am I stuck with a low score for this check?

Hi @bigdaz

I looked at the docs and I see the following

Scoring is leveled instead of proportional to make the check more predictable. If any bot-originated changes are unreviewed, 3 points are deducted. If any human changes are unreviewed, 7 points are deducted if a single change is unreviewed, and another 3 are deducted if multiple changes are unreviewed.

Your PR and Bot Commit

• Bump references to Develocity Gradle plugin from 3.19.1 to 3.19.2 #561 was proposed by a bot, reviewed and merged by a user
• The example bot commit is most likely why 7 points were deducted

See the conversation in this github issue ossf/scorecard#2450

Maybe bring this up as a separate issue (how to deal with keeping dist/ dir up to date without losing 7 points on code review metric)? Perhaps there is a different way to solve the problem than the bot commiting directly to the HEAD branch?

Thanks for checking. I'd prefer not to make the process less convenient in order to satisfy this (somewhat arbitrary) requirement.

For now I think I'll just ignore the CodeReview portion of the scorecard.