✨ Check for imposter commits when verifying Scorecard Action results

[spencerschrock]

Added logic to ensure a commit belongs to the main branch of the repository. Thanks to Chainguard for their imposter commit blog post and @wlynch for their CompareCommits implementation, which uses 1 REST call to get the default branch of the action step, and 1 call to check if it belongs to the branch.

There were a few alternatives considered:

• The https://github.com/<org>/<repo>/branch_commits/<hash> endpoint, which isn't a documented/supported API endpoint and would involve parsing HTML and hoping it doesn't change.
• A search based implementation which has its own API quota (30/min). I'd be open to submitting this format if people prefer it, but the search endpoint has randomly broke on us in the past.

func (g *githubVerifier) contains(owner, repo, hash string) (bool, error) {
	opts := &github.SearchOptions{ListOptions: github.ListOptions{PerPage: 1}}
	queryString := fmt.Sprintf("repo:%s/%s hash:%s", owner, repo, hash)
	res, _, err := g.client.Search.Commits(g.ctx, queryString, opts)
	if err != nil {
		return false, fmt.Errorf("searching for commit: %w", err)
	}
	if res == nil || res.Total == nil {
		return false, errInvalidSearchResponse
	}
	return *res.Total > 0, nil
}

[netlify]

✅ Deploy Preview for ossf-scorecard canceled.

Name	Link
🔨 Latest commit	84fdd1b
🔍 Latest deploy log	https://app.netlify.com/sites/ossf-scorecard/deploys/64a8610256639800094fe86b

[aibaars]

@spencerschrock The problem seems to have come back for the v2.22.11 release: github/codeql-action#2040 . The codeql-action just bumped their mayor version to v3. Could that be the cause the problem?

[spencerschrock]

Resolved in #518