From 08dd0cebb088ac0fd6364339b1b3b68b75041ea8 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Thu, 18 Aug 2022 13:02:19 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=8C=B1=20Allow=20for=20publish=20URL=20ov?= =?UTF-8?q?erride=20(#811)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Allow for URL override * Tag a new release * Unit test * Update to internal_publish_base_url --- action.yaml | 7 ++++++- options/env.go | 11 ++++++----- signing/signing.go | 7 +------ signing/signing_test.go | 3 +++ 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/action.yaml b/action.yaml index d5e86fd0..1fd75f4e 100644 --- a/action.yaml +++ b/action.yaml @@ -37,6 +37,11 @@ inputs: required: false default: false + internal_publish_base_url: + description: "INPUT: Base URL for publishing results. Used for testing." + required: false + default: "https://api.securityscorecards.dev" + internal_default_token: description: "INPUT: Default GitHub token. (Internal purpose only, not intended for developers to set. Used for pull requests configured with a PAT)." required: false @@ -48,4 +53,4 @@ branding: runs: using: "docker" - image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-alpha.1" + image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-alpha.2" diff --git a/options/env.go b/options/env.go index e3e1f5bd..209685da 100644 --- a/options/env.go +++ b/options/env.go @@ -38,11 +38,12 @@ const ( // TODO(input): INPUT_ constants should be removed in a future release once // they have replacements in upstream scorecard. - EnvInputRepoToken = "INPUT_REPO_TOKEN" //nolint:gosec - EnvInputInternalRepoToken = "INPUT_INTERNAL_DEFAULT_TOKEN" //nolint:gosec - EnvInputResultsFile = "INPUT_RESULTS_FILE" - EnvInputResultsFormat = "INPUT_RESULTS_FORMAT" - EnvInputPublishResults = "INPUT_PUBLISH_RESULTS" + EnvInputRepoToken = "INPUT_REPO_TOKEN" //nolint:gosec + EnvInputInternalRepoToken = "INPUT_INTERNAL_DEFAULT_TOKEN" //nolint:gosec + EnvInputResultsFile = "INPUT_RESULTS_FILE" + EnvInputResultsFormat = "INPUT_RESULTS_FORMAT" + EnvInputPublishResults = "INPUT_PUBLISH_RESULTS" + EnvInputInternalPublishBaseURL = "INPUT_INTERNAL_PUBLISH_BASE_URL" ) // Errors diff --git a/signing/signing.go b/signing/signing.go index 4c2478b1..dba2614d 100644 --- a/signing/signing.go +++ b/signing/signing.go @@ -33,8 +33,6 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/sign" ) -const scorecardAPI = "https://api.securityscorecards.dev" - // SignScorecardResult signs the results file and uploads the attestation to the Rekor transparency log. func SignScorecardResult(scorecardResultsFile string) error { if err := os.Setenv("COSIGN_EXPERIMENTAL", "true"); err != nil { @@ -108,10 +106,7 @@ func ProcessSignature(jsonPayload []byte, repoName, repoRef, accessToken string) // Call scorecard-webapp-api to process and upload signature. // Setup HTTP request and context. - apiURL := scorecardAPI - if scorecardURL, exists := os.LookupEnv("SCORECARD_API_URL"); exists { - apiURL = scorecardURL - } + apiURL := os.Getenv(options.EnvInputInternalPublishBaseURL) rawURL := fmt.Sprintf("%s/projects/github.com/%s", apiURL, repoName) parsedURL, err := url.Parse(rawURL) if err != nil { diff --git a/signing/signing_test.go b/signing/signing_test.go index 0bc6ed22..dc5c767c 100644 --- a/signing/signing_test.go +++ b/signing/signing_test.go @@ -19,6 +19,8 @@ package signing import ( "os" "testing" + + "github.com/ossf/scorecard-action/options" ) // TODO: For this test to work, fake the OIDC token retrieval with something like. @@ -80,6 +82,7 @@ func Test_ProcessSignature(t *testing.T) { repoName := "ossf-tests/scorecard-action" repoRef := "refs/heads/main" accessToken := os.Getenv("GITHUB_AUTH_TOKEN") + os.Setenv(options.EnvInputInternalPublishBaseURL, "https://api.securityscorecards.dev") if err != nil { t.Errorf("Error reading testdata:, %v", err)