-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Support POST workflow verification for inter-repo reusable workflows #295
🐛 Support POST workflow verification for inter-repo reusable workflows #295
Conversation
✅ Deploy Preview for ossf-scorecard canceled.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
0c47fd6
to
fdc1c06
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Could you add the associated issue for this PR?
I don't believe there was any associated issue filed. I can create one, but it will just contain the same text as this PR. |
What made you fix this? Did someone complain? If so, you could create an issue with that reference. HTH |
Signed-off-by: Spencer Schrock <sschrock@google.com>
…t repositories than the repo they analyze. Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
dfd51f0
to
a61aea8
Compare
The Scorecard action can't be used as a reusable workflow from another repo if
publish_results
istrue
.When Scorecard action POSTs the JSON to the webapp, the webapp tries to download and verify the workflow, but the logic currently assumes the workflow always comes from the same repo. The API used to download the workflow file then
fails with a 404 error, leading to a vague 500 error on the original POST from action to webapp:
This PR adds logic to handle scenarios where a reusable workflow file is in a different repo than the repo being analyzed:
workflow_ref
from the x509 cert produced by sigstore/Fulcio during Scorecard action:https://github.com/sigstore/fulcio/blob/4114d0975133e97ac270c3ca01920fe4dfccafd4/docs/oidc.md#github
Fixes #300