✨ Give low importance to github-owned actions

[nanikjava]

#802

• Please check if the PR fulfills these requirements

• Tests for the changes have been added (for bug fixes / features)
• PR title follows the guidelines defined in https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#pr-process

• What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

feature update

• Other information:
  close Give low importance to github-owned actions #802

[laurentsimon]

nit: start comments with capital letter and ends with full dot.

[laurentsimon]

do we need a regex or can we simplify by using strings.HasPrefix()?

[laurentsimon]

create a dedicated function, maybe isGitHubOwnedAction()

[laurentsimon]

the dependency check is the most complicated to work with. I think what you need is the following:

1. create new structure to store workflow pinned results, something like

type worklowPinningResult struct {
 thirdParties pinnedResult
 gitHubOwned pinnedResult
}

2. Create a function addPinnedWorkflowResult() to use for this case (here)
3. You'll need a dataAsWorkflowResultPointer() to replace dataAsResultPointer() for this use case (here)
4. Update createReturnForIsGitHubActionsWorkflowPinned to calculate the score as we discussed earlier.

Let me know if this clarifies things.

Thanks again for taking the time to contribute!

[nanikjava]

Thank you @laurentsimon for the comments and pointer on what to do.

I've updated the PR based from my understanding after reading your comments. Kindly give me your feedback 👍

[laurentsimon]

once you've updated your code, add some unit tests to verify your code does what we expect it to do.

[laurentsimon]

nit: end comment with full stop.

[laurentsimon]

nitL rename to dataAsWorkflowResultPointer

[laurentsimon]

you need a new function to return the values. The function needs to look at both gitHubOwned and thirdParties to calculate the score.

[laurentsimon]

you need a new function addWorkflowPinnedResult that takes * worklowPinningResult as input. You can access and set gitHubOwned and thirdParties accordingly inside that function.

[laurentsimon]

this is where you should call addWorkflowPinnedResult to set gitHubOwned and/or thirdParties

[nanikjava]

Thank you @laurentsimon

I've updated the code based on your feedback but I'm still uncertain about the following:

• If in the workflow file there is following uses

uses: actions/checkout@daadedc81d5f9d3c06d2c92f49202a3cc2b919ba
uses: github/codeql-action/init@v2

does this mean that the gitHubOwned will have value pinned because one of the uses has a full hash ?

• If in the workflow file there is following uses

uses: no-github/checkout@daadedc81d5f9d3c06d2c92f49202a3cc2b919ba
uses: no-github/codeql-action/init@v2

does this mean that the thirdParties will have value pinned because one of the uses has a full hash ?

• Added a separate function to do the calculation but unsure if this is the correct way to calculate ? can you please let me know.

Apology for going back and forth as I'm still trying to nail the logic down and understand it properly.

Once I get the logic correct will add more test cases and fix any broken fix test cases.

[laurentsimon]

we're in the right direction. Add the unit tests and I'll review everything.
Note: I'm OOO from 01-Sept to 07-Sept so expect some delays for me to LGTM the PR.
Sorry about that!

[laurentsimon]

initialize to checker.MinResultScore instead of 0

[laurentsimon]

this case not needed since checker.MinResultScore is 0. I think we can simplify the switch and use a single if as:

if r.gitHubOwned != notPinned {
   score += 2
}

his will also take care of the case when r.gitHubOwned is pinnedUndefined which means we found no GitHub-owned actions in the workflow.

[laurentsimon]

same comment as above.

[laurentsimon]

We can simplify addWorkflowPinnedResult by adding 1 additionalbool: isGitHub. The function can then internally call addPinnedResult(). Something like:

githubOwned := isGitHubOwnedAction(step.Uses)
addWorkflowPinnedResult(pdata, match, githubOwned)

func addWorkflowPinnedResult(r * worklowPinningResult, to, isGitHub bool) {
  if isGitHub {
   addPinnedResult(&r.gitHubOwned, to) 
 } else {
  addPinnedResult(&r.thirdParties, to) 
}

[laurentsimon]

see comment above to simplify

[nanikjava]

@laurentsimon PR has been modified per your suggestion and test has been added. Thank you.

[laurentsimon]

Thank you for the hard work, this is great!
I think the next PR will be perfect and we can merge. I'm OOO until 07 Sept so expect some delay for my last LGTM. Sorry about that.

[laurentsimon]

move the Info() inside the if r.gitHubOwned != notPinned.
Also add a call to Info() inside the if r.thirdParties != notPinned.

Use a different message for the call to Call(), and use Info3() as in https://github.com/ossf/scorecard/blob/main/checks/permissions.go#L66. Say

Info3(&checker.LogMessage{
	Path: PATH2FILE, Type: checker.FileTypeSource, Offset: LINE_NO, Snippet: SNIPPET,
	Text: fmt.Sprintf("%s %s"), "GitHub-owned", infoMsg,
	})
Info3(&checker.LogMessage{
	Path: PATH2FILE, Type: checker.FileTypeSource, Offset: LINE_NO, Snippet: SNIPPET,
	Text: fmt.Sprintf("%s %s"), "Third-party", infoMsg,
	})

If you're not sure how to get the line numbers and snippet, omit them and just add a //TODO: set Snippet and line numbers.

Last point: call createReturnValuesForGitHubActionsWorkflowPinned() with a generic message "actions are pinned"

[laurentsimon]

update this message as I said in comment above.

[laurentsimon]

should this file be renamed to workflow-github-pinned.yaml since it only contains pinned GitHub-owned actions?

[laurentsimon]

please add additional unit tests:

1. mix of pinned and non-pinned GitHub actions. score should be 8
2. mixed of pinned and non-pinned non-GitHub dependencies. score should be 2
3. mixed of the above. score should be 0
4. all github and 3p actions pinned. score should be 10. For this one, you can simply update an existing workflow instead of creating a new file. Or you can create a new file: up to you.

[laurentsimon]

@inferno-chromium please LGTM and merge this PR once the changes above have been made. Otherwise it will have to wait until I'm back from OOO on 08 Sept.

[nanikjava]

@inferno-chromium please LGTM and merge this PR once the changes above have been made. Otherwise it will have to wait until I'm back from OOO on 08 Sept.

@inferno-chromium PR has been updated based on @laurentsimon feedback. Thanks.

The build/license boilerplate check (pull_request) failed due to some issue with protoc, don't have permission to re-run it.

[laurentsimon]

LGTM. I Left a single comment in the unit test. Just address it and update your branch.
I'll check what''s wrong with the protobuf issue.

[laurentsimon]

the protobuf problem in the check may be due to your branch being out-of-date. The problem was solved recently and hopefully will go away when you update your fork.