forked from ossf/scorecard-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
entrypoint.sh
executable file
·130 lines (111 loc) · 5.11 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
# Copyright 2021 Security Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -euo pipefail
# https://docs.github.com/en/actions/learn-github-actions/environment-variables
# GITHUB_EVENT_PATH contains the json file for the event.
# GITHUB_SHA contains the commit hash.
# GITHUB_WORKSPACE contains the repo folder.
# GITHUB_EVENT_NAME contains the event name.
# GITHUB_ACTIONS is true in GitHub env.
export GITHUB_AUTH_TOKEN="$INPUT_REPO_TOKEN"
export ENABLE_SARIF=1
export ENABLE_LICENSE=1
export ENABLE_DANGEROUS_WORKFLOW=1
export SCORECARD_POLICY_FILE="/policy.yml" # Copied at docker image creation.
export SCORECARD_RESULTS_FILE="$INPUT_RESULTS_FILE"
export SCORECARD_RESULTS_FORMAT="$INPUT_RESULTS_FORMAT"
export SCORECARD_PUBLISH_RESULTS="$INPUT_PUBLISH_RESULTS"
export SCORECARD_BIN="/scorecard"
export ENABLED_CHECKS=
## ============================== WARNING ======================================
# https://docs.github.com/en/actions/learn-github-actions/environment-variables
# export SCORECARD_PRIVATE_REPOSITORY="$(jq '.repository.private' $GITHUB_EVENT_PATH)"
# export SCORECARD_DEFAULT_BRANCH="refs/heads/$(jq -r '.repository.default_branch' $GITHUB_EVENT_PATH)"
#
# The $GITHUB_EVENT_PATH file produces:
# private: null
# default_branch: null
#
# for trigger event `schedule`. This is a bug.
# So instead we use the REST API to retrieve the data.
#
# Boolean inputs are strings https://github.com/actions/runner/issues/1483.
# ===============================================================================
curl -s -H "Authorization: Bearer $GITHUB_AUTH_TOKEN" https://api.github.com/repos/$GITHUB_REPOSITORY > repo_info.json
export SCORECARD_PRIVATE_REPOSITORY="$(cat repo_info.json | jq -r '.private')"
export SCORECARD_DEFAULT_BRANCH="refs/heads/$(cat repo_info.json | jq -r '.default_branch')"
export SCORECARD_IS_FORK="$(cat repo_info.json | jq -r '.fork')"
rm repo_info.json
# If the repository is private, never publish the results.
if [[ "$SCORECARD_PRIVATE_REPOSITORY" == "true" ]]; then
export SCORECARD_PUBLISH_RESULTS="false"
fi
# We only use the policy file if the request format is sarif.
if [[ "$SCORECARD_RESULTS_FORMAT" != "sarif" ]]; then
unset SCORECARD_POLICY_FILE
fi
echo "Event file: $GITHUB_EVENT_PATH"
echo "Event name: $GITHUB_EVENT_NAME"
echo "Ref: $GITHUB_REF"
echo "Repository: $GITHUB_REPOSITORY"
echo "Fork repository: $SCORECARD_IS_FORK"
echo "Private repository: $SCORECARD_PRIVATE_REPOSITORY"
echo "Publication enabled: $SCORECARD_PUBLISH_RESULTS"
echo "Format: $SCORECARD_RESULTS_FORMAT"
echo "Policy file: $SCORECARD_POLICY_FILE"
echo "Default branch: $SCORECARD_DEFAULT_BRANCH"
if [[ -z "$GITHUB_AUTH_TOKEN" ]]; then
echo "The 'repo_token' variable is empty."
if [[ "$SCORECARD_IS_FORK" == "true" ]]; then
echo "We have detected you are running on a fork."
fi
echo "Please follow the instructions at https://github.com/ossf/scorecard-action#authentication to create the read-only PAT token."
exit 1
fi
# Note: this will fail if we push to a branch on the same repo, so it will show as failing
# on forked repos.
if [[ "$GITHUB_EVENT_NAME" != "pull_request"* ]] && [[ "$GITHUB_REF" != "$SCORECARD_DEFAULT_BRANCH" ]]; then
echo "$GITHUB_REF not supported with '$GITHUB_EVENT_NAME' event."
echo "Only the default branch '$SCORECARD_DEFAULT_BRANCH' is supported"
exit 1
fi
# It's important to change directories here, to ensure
# the files in SARIF start at the source of the repo.
# This allows GitHub to highlight the file.
cd "$GITHUB_WORKSPACE"
if [[ "$GITHUB_EVENT_NAME" == "pull_request"* ]]
then
# For pull request events, we run on a local folder.
if [[ -z "$SCORECARD_POLICY_FILE" ]]
then
$SCORECARD_BIN --local . --format "$SCORECARD_RESULTS_FORMAT" --show-details > "$SCORECARD_RESULTS_FILE"
else
$SCORECARD_BIN --local . --format "$SCORECARD_RESULTS_FORMAT" --show-details --policy "$SCORECARD_POLICY_FILE" > "$SCORECARD_RESULTS_FILE"
fi
else
# For other events, we run on the repo.
# For the branch protection trigger, we only run the Branch-Protection check.
if [[ "$GITHUB_EVENT_NAME" == "branch_protection_rule" ]]
then
export ENABLED_CHECKS="--checks Branch-Protection"
fi
if [[ -z "$SCORECARD_POLICY_FILE" ]]
then
$SCORECARD_BIN --repo="$GITHUB_REPOSITORY" --format "$SCORECARD_RESULTS_FORMAT" $ENABLED_CHECKS --show-details > "$SCORECARD_RESULTS_FILE"
else
$SCORECARD_BIN --repo="$GITHUB_REPOSITORY" --format "$SCORECARD_RESULTS_FORMAT" $ENABLED_CHECKS --show-details --policy "$SCORECARD_POLICY_FILE" > "$SCORECARD_RESULTS_FILE"
fi
fi
jq '.' "$SCORECARD_RESULTS_FILE"