🐛 Support POST workflow verification for inter-repo reusable workflows

[spencerschrock]

The Scorecard action can't be used as a reusable workflow from another repo if publish_results is true.

When Scorecard action POSTs the JSON to the webapp, the webapp tries to download and verify the workflow, but the logic currently assumes the workflow always comes from the same repo. The API used to download the workflow file then
fails with a 404 error, leading to a vague 500 error on the original POST from action to webapp:

error processing signature: http response 500, status: 500 Internal Server Error, error: {"code":500,"message":"something went wrong and we are looking into it."}

This PR adds logic to handle scenarios where a reusable workflow file is in a different repo than the repo being analyzed:

• In scenarios where the workflow file and the repo are the same, the behavior is unchanged (workflow file is downloaded using the cert commit SHA).
• In scenarios where the workflow file is in a different repo, the cert commit SHA can obviously no longer be used. The ref used in this case is the workflow_ref from the x509 cert produced by sigstore/Fulcio during Scorecard action:
  https://github.com/sigstore/fulcio/blob/4114d0975133e97ac270c3ca01920fe4dfccafd4/docs/oidc.md#github

Fixes #300

[netlify]

✅ Deploy Preview for ossf-scorecard canceled.

Name	Link
🔨 Latest commit	a61aea8
🔍 Latest deploy log	https://app.netlify.com/sites/ossf-scorecard/deploys/63ab5c600442f20008ca12bf

[naveensrinivasan]

Thanks

[azeemshaikh38]

Thanks! Could you add the associated issue for this PR?

[spencerschrock]

I don't believe there was any associated issue filed. I can create one, but it will just contain the same text as this PR.

[naveensrinivasan]

I don't believe there was any associated issue filed. I can create one, but it will just contain the same text as this PR.

What made you fix this? Did someone complain? If so, you could create an issue with that reference. HTH