✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions #1962

justaugustus · 2022-05-26T00:28:56Z

Supersedes #1961 (using a feature branch instead).
ref: https://openssf.slack.com/archives/C0235AR8N2C/p1653505755497039

git filter-repo \
--path entrypoint/ \
--path github/ \
--path install/ \
--path multi-repo-action/ \
--path options/ \
--path policies/ \
--path signing/ \
--path starter-workflows/ \
--path main.go \
--to-subdirectory-filter action --preserve-commit-hashes --force
ossf/scorecard-action
---

❯ git log --pretty=oneline
4fddb965b28338b9823d70652b1ee39e65250255 (HEAD -> main, tag: v1.1.0, upstream/main, upstream/dependabot/go_modules/github.com/ossf/scorecard/v4-4.3.0, upstream/dependabot/github_actions/github/codeql-action-2.1.11, upstream/dependabot/docker/openssf/scorecard-v4.3.0, upstream/azeems/golang-staging, multi-action-cleanup, go-ify, dependabot/go_modules/github.com/ossf/scorecard/v4-4.3.0) multi-repo-action: Cleanups (1/n) (#301)
fdbb71497c4c567bf4b6d818bec3e4c53a2d0549 (upstream/dependabot/go_modules/github.com/google/go-cmp-0.5.8, upstream/dependabot/docker/openssf/scorecard-3e5e5f7, rohan/main, rohan/add-log)
✨ Update documentation (#203)
8e161729d30c73f7cd08597579c75670471d310f Removed Sarif Results From Processing & Rekor Upload (#197)
1a9a3fe676bbcc5df1c0f8087f2ad94ec72eeebe (shellcheck, release-docs) Default Branch Checking Bugfix (#171)
b4bed33e9737a9441c69784ef2f1457a1bdf287f Sign scorecard results using cosign (#120)
fb20eae4521da1656a350035e59cdb5c5598236b (upstream/naveen/feat/e2e-golang-staging, upstream/naveen/feat/depsrevview) Dockerfile Build Using Golang Entrypoint (#158)
b4b3131efbbbfc3ae03499bccc28d2df62c6d735 (rohan/org-readme) Align the CII-Best-Practices requirements with the documentation (#129)
2494ef679ec8fa598e2eeda9af7b9e8a45f556be Fixups for golang-based entrypoint (#136)
dd59bcad39378f98cb6196f2593fef722171c769 (bin-swap) Create a Golang-based entrypoint for scorecard-action (1/n) (#122)
0360aed797f8ac70b30b5e9567fff7c02af6efab (upstream/dependabot/github_actions/golangci/golangci-lint-action-3.1.0, upstream/dependabot/github_actions/actions/setup-go-3, upstream/dependabot/docker/debian-11.2-slim, lint-config, fix-ci, dependabot/docker/debian-11.2-slim) enable workflow at organization level (#88)
49991861a6973061bca37b2f5c4b6f497d518d4b removed SCORECARD_RESULTS_FILE env var
c02b654188bef860e3436b709671cbfa6e79fc33 removed SCORECARD_RESULTS_FORMAT env var
60206944f2874429b21649358e4916b8cd5a5025 removed SCORECARD_PUBLISH_RESULTS env var
d1893249c8b99cd488bfdcacc69d15051119d1a7 removed SCORECARD_DEFAULT_BRANCH env var
5820b596443ec003442ac0af098048da713fed32 removed SCORECARD_PRIVATE_REPOSITORY env var
1ef211d3e8070376c360618a21451daa2172591f removed ENABLED_CHECKS env var
b0296921a4dc7142ddee491c2afbed922a51060e removed SCORECARD_BIN env var
a99fe347171196f484870ccff0ad51c7e5c3b948 removed SCORECARD_POLICY_FILE env var
45a665ee9cc11f982eee6dd19946ce526c6ceb36 (tag: v1.0.4) :seedling: Final bits of porting the shell to go
e4208638dd96fde4ed10b2579bb74bab96b94f93 :seedling: Porting of shell script to go
804700a54865b063b06c4a536da156cc42299a0d (tag: v1, upstream/debug/repojson, debug/repojson) :seedling: More unit tests for porting to Go
fb73a0a9d1dc0116fe0096cf7c590364720cde3d :seedling: Porting shell script to Go
21485458e9e32688de7aa6b0db3dbf55b5426edd :sparkles: Porting the shellscript to go
be2577367d5f98ac4c5ac4b9dcaea08faaf6e01b (tag: v1.0.3, tag: v1.0.2, tag: v1.0.1, tag: v1.0.0) remove checks (#47)
3de3158fd9fefee0a968e6b05109e8ff413f4ebd (tag: v0.0.2) fix maintained score (#45)
d19bee7c4263268e850a679c9a58a8155b6fa650 (upstream/codeql, rohan/codeql, codeql) rem signed-release check (#39)
a37eeaebfb97dcf4a4bd187cff5ab16654e0eb6d (tag: v0.0.1, upstream/laurentsimon-patch-2, rohan/laurentsimon-patch-2, laurentsimon-patch-2) ✨ Remove policy from action input (#16)
c149c1ebafa0d37ff8d45fb3352061b4c8849dd0 Feature: define the starter workflows (#21)
c3ff44937f5266646cf3e98f4b7490fec5932d9a (upstream/test/dogfood, upstream/revert-20-feat/bpsupport, upstream/feat/policyyaml, upstream/feat/dogfood, upstream/feat/bpsupport, upstream/feat/analyze, rohan/test/dogfood, rohan/revert-20-feat/bpsupport, rohan/feat/policyyaml, rohan/feat/dogfood, rohan/feat/bpsupport, rohan/feat/analyze, test/dogfood, revert-20-feat/bpsupport, feat/policyyaml, feat/dogfood, feat/bpsupport, feat/analyze) ✨ run-analysis action files (#1)

---

❯ git cherry-pick c3ff44937f5266646cf3e98f4b7490fec5932d9a..4fddb965b28338b9823d70652b1ee39e65250255
[action-migrate 7650293] Feature: define the starter workflows (#21)
 Author: laurentsimon <[email protected]>
 Date: Fri Dec 10 09:44:15 2021 -0800
 2 files changed, 84 insertions(+)
 create mode 100644 action/starter-workflows/code-scanning/properties/scorecards.properties.json
 create mode 100644 action/starter-workflows/code-scanning/scorecards.yml
CONFLICT (modify/delete): action/policies/template.yml deleted in HEAD and modified in a37eeae (✨ Remove policy from action input (#16)).  Version a37eeae (✨ Remove policy from action input (#16)) of action/policies/template.yml left in tree.
error: could not apply a37eeae... ✨ Remove policy from action input (#16)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".

scorecard on  action-migrate (CHERRY-PICKING) [=$] via 🐹 v1.18.2 via  on ☁️  [email protected]
❯ git status
On branch action-migrate
Cherry-pick currently in progress.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   action/policies/template.yml

no changes added to commit (use "git add" and/or "git commit -a")

scorecard on  action-migrate (CHERRY-PICKING) [=$] via 🐹 v1.18.2 via  on ☁️  [email protected]
❯ git add action

scorecard on  action-migrate (CHERRY-PICKING) [$+] via 🐹 v1.18.2 via  on ☁️  [email protected]
❯ git status
On branch action-migrate
Cherry-pick currently in progress.
  (run "git cherry-pick --continue" to continue)
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   action/policies/template.yml


scorecard on  action-migrate (CHERRY-PICKING) [$+] via 🐹 v1.18.2 via  on ☁️  [email protected]
❯ git cherry-pick --continue
[action-migrate a6039d4] ✨ Remove policy from action input (ossf/scorecard-action#16)
 Author: laurentsimon <[email protected]>
 Date: Fri Dec 10 17:31:35 2021 -0800
 1 file changed, 70 insertions(+)
 create mode 100644 action/policies/template.yml
[action-migrate 846b670] rem signed-release check (#39)
 Author: laurentsimon <[email protected]>
 Date: Tue Jan 4 10:24:13 2022 -0800
 1 file changed, 1 insertion(+), 1 deletion(-)
[action-migrate 19132ab] fix maintained score (#45)
 Author: laurentsimon <[email protected]>
 Date: Thu Jan 6 12:37:46 2022 -0800
 1 file changed, 1 insertion(+), 1 deletion(-)
[action-migrate 9c8e8fe] remove checks (#47)
 Author: laurentsimon <[email protected]>
 Date: Mon Jan 10 15:35:35 2022 -0800
 1 file changed, 1 insertion(+), 1 deletion(-)
[action-migrate 37c3162] :sparkles: Porting the shellscript to go
 Author: naveen <[email protected]>
 Date: Fri Feb 4 21:54:49 2022 +0000
 1 file changed, 157 insertions(+)
 create mode 100644 action/main.go
[action-migrate 96ab8b5] :seedling: Porting shell script to Go
 Author: naveen <[email protected]>
 Date: Mon Feb 7 03:11:22 2022 +0000
 1 file changed, 162 insertions(+), 55 deletions(-)
[action-migrate 6eca02a] :seedling: More unit tests for porting to Go
 Author: naveen <[email protected]>
 Date: Tue Feb 8 23:44:04 2022 +0000
 1 file changed, 60 insertions(+), 35 deletions(-)
[action-migrate cb0499f] :seedling: Porting of shell script to go
 Author: naveen <[email protected]>
 Date: Fri Feb 11 15:02:42 2022 +0000
 1 file changed, 58 insertions(+), 11 deletions(-)
[action-migrate 20ffa2f] :seedling: Final bits of porting the shell to go
 Author: naveen <[email protected]>
 Date: Tue Feb 15 01:44:30 2022 +0000
 1 file changed, 91 insertions(+)
[action-migrate 30afa2d] removed SCORECARD_POLICY_FILE env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 18:44:48 2022 -0800
 1 file changed, 2 insertions(+), 10 deletions(-)
[action-migrate e73ae26] removed SCORECARD_BIN env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 18:56:43 2022 -0800
 1 file changed, 2 insertions(+), 3 deletions(-)
[action-migrate 94cf57a] removed ENABLED_CHECKS env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 18:59:50 2022 -0800
 1 file changed, 2 insertions(+), 3 deletions(-)
[action-migrate 72ea722] removed SCORECARD_PRIVATE_REPOSITORY env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 19:04:55 2022 -0800
 1 file changed, 15 insertions(+), 18 deletions(-)
[action-migrate 2997006] removed SCORECARD_DEFAULT_BRANCH env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 19:08:28 2022 -0800
 1 file changed, 5 insertions(+), 7 deletions(-)
[action-migrate bfa79de] removed SCORECARD_PUBLISH_RESULTS env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 19:19:48 2022 -0800
 1 file changed, 13 insertions(+), 18 deletions(-)
[action-migrate 2e9ac3f] removed SCORECARD_RESULTS_FORMAT env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 19:22:24 2022 -0800
 1 file changed, 12 insertions(+), 15 deletions(-)
[action-migrate 07381b4] removed SCORECARD_RESULTS_FILE env var
 Author: Rohan Khandelwal <[email protected]>
 Date: Tue Feb 22 19:23:59 2022 -0800
 1 file changed, 12 insertions(+), 14 deletions(-)
[action-migrate 5516585] enable workflow at organization level (#88)
 Author: Rohan Khandelwal <[email protected]>
 Date: Wed Feb 23 15:00:31 2022 -0800
 6 files changed, 688 insertions(+)
 create mode 100644 action/multi-repo-action/README.md
 create mode 100644 action/multi-repo-action/go.mod
 create mode 100644 action/multi-repo-action/go.sum
 create mode 100644 action/multi-repo-action/main_test.go
 create mode 100644 action/multi-repo-action/org-workflow-add.go
 create mode 100644 action/multi-repo-action/scorecards-analysis.yml
[action-migrate 3496346] Create a Golang-based entrypoint for scorecard-action (1/n) (#122)
 Author: Stephen Augustus (he/him) <[email protected]>
 Date: Mon Mar 7 11:44:08 2022 -0500
 10 files changed, 1393 insertions(+), 402 deletions(-)
 create mode 100644 action/entrypoint/entrypoint.go
 create mode 100644 action/github/github.go
 rewrite action/main.go (94%)
 create mode 100644 action/options/env.go
 create mode 100644 action/options/options.go
 create mode 100644 action/options/options_test.go
 create mode 100644 action/options/testdata/bad-data.json
 create mode 100644 action/options/testdata/fork.json
 create mode 100644 action/options/testdata/incorrect.json
 create mode 100644 action/options/testdata/non-fork.json
[action-migrate 7fb0377] Fixups for golang-based entrypoint (#136)
 Author: Rohan Khandelwal <[email protected]>
 Date: Wed Mar 16 16:09:57 2022 -0700
 4 files changed, 84 insertions(+), 22 deletions(-)
[action-migrate 4c15137] Align the CII-Best-Practices requirements with the documentation (#129)
 Author: Jonas Bushart <[email protected]>
 Date: Fri Mar 18 15:42:39 2022 +0100
 1 file changed, 2 insertions(+), 1 deletion(-)
[action-migrate 1c2ba7d] Dockerfile Build Using Golang Entrypoint (#158)
 Author: Rohan Khandelwal <[email protected]>
 Date: Wed Mar 30 18:45:45 2022 -0700
 1 file changed, 1 insertion(+), 1 deletion(-)
[action-migrate 1de53a2] Sign scorecard results using cosign (#120)
 Author: Rohan Khandelwal <[email protected]>
 Date: Thu Apr 14 14:56:10 2022 -0700
 7 files changed, 967 insertions(+)
 mode change 100644 => 100755 action/entrypoint/entrypoint.go
 create mode 100644 action/signing/sign-random-data.txt
 create mode 100644 action/signing/signing.go
 create mode 100644 action/signing/signing_test.go
 create mode 100644 action/signing/testdata/results.json
 create mode 100644 action/signing/testdata/results.sarif
[action-migrate ea20da3] Default Branch Checking Bugfix (#171)
 Author: Rohan Khandelwal <[email protected]>
 Date: Thu Apr 21 13:42:22 2022 -0700
 2 files changed, 45 insertions(+), 20 deletions(-)
[action-migrate bfe7d99] Removed Sarif Results From Processing & Rekor Upload (#197)
 Author: Rohan Khandelwal <[email protected]>
 Date: Fri Apr 22 12:42:26 2022 -0700
 3 files changed, 10 insertions(+), 26 deletions(-)
[action-migrate d660987] ✨ Update documentation (#203)
 Author: laurentsimon <[email protected]>
 Date: Tue Apr 26 09:09:10 2022 -0700
 1 file changed, 1 deletion(-)
[action-migrate 07bf26c] multi-repo-action: Cleanups (1/n) (#301)
 Author: Stephen Augustus (he/him) <[email protected]>
 Date: Tue May 24 19:32:59 2022 -0400
 14 files changed, 855 insertions(+), 560 deletions(-)
 create mode 100644 action/install/cli/cli.go
 create mode 100644 action/install/github/github.go
 create mode 100644 action/install/install.go
 create mode 100644 action/install/options/flags.go
 create mode 100644 action/install/options/options.go
 delete mode 100644 action/multi-repo-action/go.mod
 delete mode 100644 action/multi-repo-action/go.sum
 create mode 100644 action/multi-repo-action/main.go
 delete mode 100644 action/multi-repo-action/org-workflow-add.go
 rename action/{multi-repo-action/scorecards-analysis.yml => starter-workflows/code-scanning/scorecards.yml} (54%)

scorecard on  action-migrate [$] via 🐹 v1.18.2 via  on ☁️  [email protected] took 42s
❯ git status
On branch action-migrate
nothing to commit, working tree clean

scorecard on  action-migrate [$] via 🐹 v1.18.2 via  on ☁️  [email protected]
❯ git status
On branch action-migrate
nothing to commit, working tree clean

---

git rebase -i HEAD~28

---

❯ time make update-dependencies
# Update root go modules
go mod tidy && go mod verify
go: finding module for package go.opentelemetry.io/otel/metric/registry
go: finding module for package go.opentelemetry.io/otel/semconv
github.com/ossf/scorecard/v4/action/internal/signing imports
	github.com/sigstore/cosign/cmd/cosign/cli/sign imports
	github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl imports
	github.com/google/certificate-transparency-go imports
	go.etcd.io/etcd/v3 imports
	go.etcd.io/etcd/tests/v3/integration imports
	go.etcd.io/etcd/server/v3/embed imports
	go.opentelemetry.io/otel/semconv: module go.opentelemetry.io/otel@latest found (v1.7.0), but does not contain package go.opentelemetry.io/otel/semconv
github.com/ossf/scorecard/v4/action/internal/signing imports
	github.com/sigstore/cosign/cmd/cosign/cli/sign imports
	github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl imports
	github.com/google/certificate-transparency-go imports
	go.etcd.io/etcd/v3 imports
	go.etcd.io/etcd/tests/v3/integration imports
	go.etcd.io/etcd/server/v3/embed imports
	go.opentelemetry.io/otel/exporters/otlp imports
	go.opentelemetry.io/otel/sdk/metric/controller/basic imports
	go.opentelemetry.io/otel/metric/registry: module go.opentelemetry.io/otel/metric@latest found (v0.30.0), but does not contain package go.opentelemetry.io/otel/metric/registry
make: *** [update-dependencies] Error 1
make update-dependencies  1.54s user 1.97s system 431% cpu 0.815 total

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

What is the new behavior (if this is a feature change)?**

Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

* starter workflows * add EOL * change msg * add EOL * comment * comment * update msg * commments

* rem policy * badge support

Porting the shellscript to go Signed-off-by: naveen <[email protected]>

- Porting the shell script to go - Including additional tests - Code cleanup for the linter. Signed-off-by: naveen <[email protected]>

More porting of shell script to go. Tests associated with the new changes.

- Final bits of porting the shell script to `go` - Tests included for the commandline args to Scorecard.

* enable workflow at organization level * added more error checking * added README, minor fixes * added support for specifying repo list * skip repo checks, started writing test * dynamically pull latest workflow file * cleanup * test file resources * reverted to statically storing workflow file * removed token * updated readme * skip repo upon failure instead of exiting * renamed global var Co-authored-by: Naveen <[email protected]>

…recard-action#122) * Move entrypoint logic to separate package * options: env var-mapped structs via github.com/caarlos0/env/v6 * go.mod: Update scorecard to v4.1.1-0.20220306220811-4b9f0389c6f6 * entrypoint: Wrap scorecard with additional flags and hide unused * entrypoint: Add `print-config` command * options: Process GitHub info together * options: Cleanups and defaulting for action-specific settings * github: Move GitHub logic to a separate package * entrypoint: Support outputting to file * Rewrite unit tests * Allow options tests to pass in GitHub Actions environments Signed-off-by: Stephen Augustus <[email protected]>

- (Makefile) Created a makefile for building scorecard-action - (entrypoint.go) Changed resultsFilePath so that it is under the GithubWorkspace dir to fix file permission errors - (options.go) Properly pull & set EnvInputResultsFormat, EnvInputResultsFile, and EnvGithubAuthToken env vars - (options_test.go) Set EnvInputResultsFormat and EnvInputResultsFile before calling options.New() to see if it properly picks up env vars. Co-authored-by: Stephen Augustus <[email protected]>

…f/scorecard-action#129) The remediation section states that only a passing score is required for this check to pass: > We give full credit to projects that meet the passing criteria, which is a significant achievement for many projects. A passing score currently equals 5. https://github.com/ossf/scorecard/blob/e128c3de82607e1b285185da9c76a5262255b180/checks/cii_best_practices.go See #110 for more details. Co-authored-by: laurentsimon <[email protected]>

* fixed Dockerfile * / before policy filepath

* test action * sign test data * func to sign and upload workflow result * added signScorecardResult func and test * added signScorecardResult func and test * moved signing code into main.go * added call to signScorecardResult at the end of main * added err checking * comments and added global vars * style changes * updated test to use randomized payload * check publish_results * error logging for signScorecardResult call * error logging * entrypoint * updated dockerfile * dockerfile * dockerfile * EnvInputsResults vars added to Options * resultsfile env var * set PAT * create results file with sudo * sudo create resultsfile * try os.Openfile * fixed fileapth * changed Distroless to debian * get output format from env var * fixed defaultpolicyfile path * policy filepath * copy policy.yml in dockerfile * policyfile * moved signing code to separate file * dockerfile * generate results.json file in preRun * revert dockerfile to main * json file creation check * run scorecard again to produce json output * testing * entrypointJson * print cmd * alter env vars in main for json * opts * dockerfile uses entrypoint.go * renamed make build * produce both sarif and json * sign json result * sig verification api call * go mod tidy * readfile fix * sign sarif instead of json * http response code checking * moved api call func into signing.go * dont hardcode repo paths * finalized signing + verif * renamed sign test * Bump debian from d5cd7e5 to 40f90ea * removed unnecessary slash * comments * policy.yml -> /policy.yml * refractored signing * more refractoring + sig processing test * fixed func call * fixed sign test * style + error fmt * reverted dockerfile * style fixes * lint fixes * linting errs * test workflow permissions * debug print * commented out signing test * linting errors Co-authored-by: Azeem Shaikh <[email protected]>

* test action * fixed Dockerfile * / before policy filepath * default branch checking + log * revert logging * remove lookupenv * Dockerfile use golang entrypoint * fixed test githubRef env * revert dockerfile * revert dockerfile

…action#197) * test action * sign test data * func to sign and upload workflow result * added signScorecardResult func and test * added signScorecardResult func and test * moved signing code into main.go * added call to signScorecardResult at the end of main * added err checking * comments and added global vars * style changes * updated test to use randomized payload * check publish_results * error logging for signScorecardResult call * error logging * entrypoint * updated dockerfile * dockerfile * dockerfile * EnvInputsResults vars added to Options * resultsfile env var * set PAT * create results file with sudo * sudo create resultsfile * try os.Openfile * fixed fileapth * changed Distroless to debian * get output format from env var * fixed defaultpolicyfile path * policy filepath * copy policy.yml in dockerfile * policyfile * moved signing code to separate file * dockerfile * generate results.json file in preRun * revert dockerfile to main * json file creation check * run scorecard again to produce json output * testing * entrypointJson * print cmd * alter env vars in main for json * opts * dockerfile uses entrypoint.go * renamed make build * produce both sarif and json * sign json result * sig verification api call * go mod tidy * readfile fix * sign sarif instead of json * http response code checking * moved api call func into signing.go * dont hardcode repo paths * finalized signing + verif * renamed sign test * Bump debian from d5cd7e5 to 40f90ea * removed unnecessary slash * comments * policy.yml -> /policy.yml * refractored signing * more refractoring + sig processing test * fixed func call * fixed sign test * style + error fmt * reverted dockerfile * style fixes * lint fixes * linting errs * test workflow permissions * debug print * commented out signing test * linting errors Co-authored-by: Azeem Shaikh <[email protected]>

* set GITHUB_TOKEN as default token * updates * Update doc * Update doc * updates * updates * update * update * update * update * updates

- install: Move action installation into a separate package - Add missing license headers - install: Fix unrecognized variables - lint: Fix warnings and attempt to auto-fix issues (where supported) - install: Parameterize config - install: Borrow GitHub client pattern from sigs.k8s.io/release-sdk - install: Use package-internal GitHub interface - install: Provide installation options as struct - install: Initial error/log handling cleanups - install: Use cobra for CLI - Remove inaccurate instances of workflow configuration file - multi-repo-action: Disable incomplete tests - install: Retrieve the correct action configuration from local path Signed-off-by: Stephen Augustus <[email protected]>

Signed-off-by: Stephen Augustus <[email protected]>

justaugustus · 2022-05-26T00:31:23Z

go.mod breaks with the addition of the signing facilities:

❯ time make update-dependencies
# Update root go modules
go mod tidy && go mod verify
go: finding module for package go.opentelemetry.io/otel/metric/registry
go: finding module for package go.opentelemetry.io/otel/semconv
github.com/ossf/scorecard/v4/action/internal/signing imports
	github.com/sigstore/cosign/cmd/cosign/cli/sign imports
	github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl imports
	github.com/google/certificate-transparency-go imports
	go.etcd.io/etcd/v3 imports
	go.etcd.io/etcd/tests/v3/integration imports
	go.etcd.io/etcd/server/v3/embed imports
	go.opentelemetry.io/otel/semconv: module go.opentelemetry.io/otel@latest found (v1.7.0), but does not contain package go.opentelemetry.io/otel/semconv
github.com/ossf/scorecard/v4/action/internal/signing imports
	github.com/sigstore/cosign/cmd/cosign/cli/sign imports
	github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl imports
	github.com/google/certificate-transparency-go imports
	go.etcd.io/etcd/v3 imports
	go.etcd.io/etcd/tests/v3/integration imports
	go.etcd.io/etcd/server/v3/embed imports
	go.opentelemetry.io/otel/exporters/otlp imports
	go.opentelemetry.io/otel/sdk/metric/controller/basic imports
	go.opentelemetry.io/otel/metric/registry: module go.opentelemetry.io/otel/metric@latest found (v0.30.0), but does not contain package go.opentelemetry.io/otel/metric/registry

Will pick this up once I figure it out.

Signed-off-by: Stephen Augustus <[email protected]>

codecov · 2022-05-26T01:13:21Z

Codecov Report

Merging #1962 (81ac0ec) into main (d1714a2) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1962   +/-   ##
=======================================
  Coverage   50.79%   50.79%           
=======================================
  Files          83       83           
  Lines        6719     6719           
=======================================
  Hits         3413     3413           
  Misses       3078     3078           
  Partials      228      228

ref: GHSA-66x3-6cw3-v5gj Signed-off-by: Stephen Augustus <[email protected]>

Signed-off-by: Stephen Augustus <[email protected]>

github-actions · 2022-06-05T02:13:27Z

Stale pull request message

laurentsimon and others added 29 commits May 25, 2022 19:47

Feature: define the starter workflows (ossf/scorecard-action#21)

b095b54

* starter workflows * add EOL * change msg * add EOL * comment * comment * update msg * commments

✨ Remove policy from action input (ossf/scorecard-action#16)

2dd85dc

* rem policy * badge support

rem signed-release check (ossf/scorecard-action#39)

1c3a0fd

fix maintained score (ossf/scorecard-action#45)

845b8be

remove checks (ossf/scorecard-action#47)

8431e76

✨ Porting the shellscript to go

9709c59

Porting the shellscript to go Signed-off-by: naveen <[email protected]>

🌱 Porting shell script to Go

ac2b85c

- Porting the shell script to go - Including additional tests - Code cleanup for the linter. Signed-off-by: naveen <[email protected]>

🌱 More unit tests for porting to Go

5b448ab

🌱 Porting of shell script to go

f244ec8

More porting of shell script to go. Tests associated with the new changes.

🌱 Final bits of porting the shell to go

d014103

- Final bits of porting the shell script to `go` - Tests included for the commandline args to Scorecard.

removed SCORECARD_POLICY_FILE env var

8c4a572

removed SCORECARD_BIN env var

9f108ac

removed ENABLED_CHECKS env var

8fd9cc2

removed SCORECARD_PRIVATE_REPOSITORY env var

244bc19

removed SCORECARD_DEFAULT_BRANCH env var

24df606

removed SCORECARD_PUBLISH_RESULTS env var

873889f

removed SCORECARD_RESULTS_FORMAT env var

220bc89

removed SCORECARD_RESULTS_FILE env var

0f5641c

Dockerfile Build Using Golang Entrypoint (ossf/scorecard-action#158)

6273a6a

* fixed Dockerfile * / before policy filepath

✨ Update documentation (ossf/scorecard-action#203)

bc4500f

* set GITHUB_TOKEN as default token * updates * Update doc * Update doc * updates * updates * update * update * update * update * updates

action: Move packages to internal/

abae67e

Signed-off-by: Stephen Augustus <[email protected]>

justaugustus requested a review from olivekl as a code owner May 26, 2022 00:28

justaugustus requested review from azeemshaikh38, laurentsimon and naveensrinivasan as code owners May 26, 2022 00:28

justaugustus had a problem deploying to integration-test May 26, 2022 00:29 Failure

justaugustus mentioned this pull request May 26, 2022

[SUPERSEDED] Action migrate #1961

Closed

justaugustus changed the title ~~[WIP] Action migrate~~ ✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions May 26, 2022

action: Init module

5b11993

Signed-off-by: Stephen Augustus <[email protected]>

justaugustus force-pushed the action-migrate branch from f60ac6d to 5b11993 Compare May 26, 2022 01:09

justaugustus had a problem deploying to integration-test May 26, 2022 01:09 Failure

justaugustus added 2 commits May 25, 2022 21:19

action/go.mod: Update to cosign v1.8.1-0.20220525183140-ef05b1514c42

d77726d

ref: GHSA-66x3-6cw3-v5gj Signed-off-by: Stephen Augustus <[email protected]>

action/signing: Idiomatic vanity imports

81ac0ec

Signed-off-by: Stephen Augustus <[email protected]>

justaugustus had a problem deploying to integration-test May 26, 2022 01:24 Failure

github-actions bot added the no-pr-activity label Jun 5, 2022

azeemshaikh38 mentioned this pull request Jun 6, 2022

🌱 Update Scorecard API usage ossf/scorecard-action#336

Merged

github-actions bot closed this Jun 25, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions #1962

✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions #1962

justaugustus commented May 26, 2022

justaugustus commented May 26, 2022

codecov bot commented May 26, 2022 •

edited

Loading

github-actions bot commented Jun 5, 2022

✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions #1962

✨ [WIP] Migrate Golang-based entrypoint for GitHub Actions #1962

Conversation

justaugustus commented May 26, 2022

What kind of change does this PR introduce?

What is the current behavior?

What is the new behavior (if this is a feature change)?**

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

justaugustus commented May 26, 2022

codecov bot commented May 26, 2022 • edited Loading

Codecov Report

github-actions bot commented Jun 5, 2022

codecov bot commented May 26, 2022 •

edited

Loading