Skip to content

use Scorecard library entrypoint instead of Cobra hooking#1423

Merged
justaugustus merged 4 commits intoossf:mainfrom
spencerschrock:entrypoint
Aug 10, 2024
Merged

use Scorecard library entrypoint instead of Cobra hooking#1423
justaugustus merged 4 commits intoossf:mainfrom
spencerschrock:entrypoint

Conversation

@spencerschrock
Copy link
Member

@spencerschrock spencerschrock commented Aug 9, 2024

Scorecard V5 released a new entrypoint, so make use of it instead of
hooking into the underlying Cobra CLI. This gives us more flexibility
when running Scorecard, such as writing the result to multiple formats.

The code got moved around a lot, my hope is it's organized more
clearly now, but I'll try to summarize it for the sake of the reviewer.

entrypoint/entrypoint.go used to do several things

  1. Read the Scorecard Action options, which now takes place in our main.go

    scorecard-action/main.go

    Lines 35 to 39 in 486e8de

    opts, err := getOpts()
    if err != nil {
    log.Fatal(err)
    }
    opts.Print()

  2. All sorts of pre/post hooks to redirect output to both stdout and a result file. Which is done explicitly in a new format helper function.

    scorecard-action/internal/scorecard/format.go

    Lines 47 to 53 in 486e8de

    // write results to both stdout and result file
    resultFile, err := os.Create(opts.GithubWorkspace + opts.InputResultsFile)
    if err != nil {
    return fmt.Errorf("creating result file: %w", err)
    }
    defer resultFile.Close()
    writer := io.MultiWriter(resultFile, os.Stdout)

signing/signing.go re-ran scorecard via GetJSONScorecardResults, which is now a simple extra formatting call.

scorecard-action/main.go

Lines 54 to 58 in 486e8de

// if we don't already have the results as JSON, generate them
if opts.InputResultsFormat != "json" {
opts.InputResultsFormat = "json"
opts.InputResultsFile = "results.json"
err = scorecard.Format(&result, opts)

In terms of testing, separating the format code makes it more testable! But the rest of it is very hard to unit test. I'll look into testing the rest of it.

Fixes #1071

@spencerschrock
use new Scorecard entrypoint
1e0b68b 
Scorecard V5 released a new entrypoint, so make use of it instead of
hooking into the underlying Cobra CLI. This gives us more flexibility
when running Scorecard, such as writing the result to multiple formats.

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
add basic format tests
486e8de 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
run go mod tidy to cleanup removed transitive deps
40acf1f 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
Copy link
Member Author

spencerschrock commented Aug 9, 2024

In terms of testing, separating the format code makes it more testable! But the rest of it is very hard to unit test. I'll look into testing the rest of it.

Testing the Dockerfile locally, the JSON output is identical (using scdiff to compare), and the SARIF matches. The nightly e2e tests would test for fatal errors after merge as well.

But there aren't any great e2e tests currently setup before merge.

@spencerschrock spencerschrock marked this pull request as ready for review August 9, 2024 21:00
justaugustus
justaugustus requested changes Aug 10, 2024
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nits.
Looks much cleaner, @spencerschrock!!

@justaugustus
Apply suggestions from code review
0326070 
Signed-off-by: Stephen Augustus <justaugustus@users.noreply.github.com>
justaugustus
justaugustus approved these changes Aug 10, 2024
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving with code suggestions applied from #1423 (review).

@justaugustus justaugustus merged commit d10a2ed into ossf:main Aug 10, 2024
@spencerschrock spencerschrock mentioned this pull request Aug 11, 2024
Merged
@spencerschrock spencerschrock deleted the entrypoint branch August 11, 2024 21:59
@spencerschrock spencerschrock mentioned this pull request Dec 4, 2024
Closed
This was referenced May 4, 2025
Open
Open
@renovate renovate bot mentioned this pull request Jun 19, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justaugustus justaugustus justaugustus approved these changes

@raghavkaul raghavkaul Awaiting requested review from raghavkaul

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: run scorecard only once

2 participants

@spencerschrock @justaugustus