e2e Scorecard action tests for differences in functionality between Scorecard action implemented in Bash and the updated version implemented using Golang. These e2e tests will be used until the release of Scorecard Golang action after which these tests will be modified to run regular e2e testing.
For testing functionality difference between the 2 implementations, we need a setup which can invoke these implementations through a GitHub Action on the same repo/commitSHA. We achieve this by:
- The 2 implementations are built using 2 separate Dockerfiles.
./Dockerfilefor Bash and./Dockerfile.golangfor Golang. - A CloudBuild trigger uses
./cloudbuild.yamlto continuously build and generate the Golang Docker image. This also helps reduce run time during the actual GitHub Action run. The generated Docker image is taggedscorecard-action:latest. - Bash implementation at
HEADis invoked by referencing:uses: ossf/scorecard-action@mainin a GitHub workflow file. - The same repository invokes Golang implementation by referencing:
uses: gcr.io/openssf/scorecard-action:latest - The artifact (SARIF file) produced by these 2 implementations are diff-ed to verify functional similarity. This step is not yet automated and is largely manual.
The e2e tests for the action is run by running the action every day on a cron
for different use cases. The action that run points to @main which helps in
catching issues sooner.
If these actions fails to run these actions would create an issue in the repository using https://github.com/naveensrinivasan/Create-GitHub-Issue
The actions primarily run out of https://github.com/ossf-tests organization.
| Testcase | Repository | Status. |
|---|---|---|
| Fork | https://github.com/ossf-tests/scorecard-action |  |
| Non-main-branch | https://github.com/ossf-tests/scorecard-action-non-main-branch |  |
| Private repository | https://github.com/test-organization-ls/scorecard-action-private-repo-tests |  |
| Fork-golang-staging | https://github.com/ossf-tests/scorecard-action
|
| Non-main-branch-golang-staging |
https://github.com/ossf-tests/scorecard-action-non-main-branch |
|Private
repository-golang-staging|https://github.com/test-organization-ls/scorecard-action-private-repo-tests|[](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml)
%5D(https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml){kind=link}
- Here is the sarif results diff between main and golang-staging. There are
few text diffs
https://github.com/ossf-tests/scorecard-action-results/pull/1/files. The PR
is for golang run results. The
mainbranch has thescorecard-actionmainbranch run results.
- Create a new repository in the
ossf-testsorganization - Clone this workflow https://github.com/ossf-tests/scorecard-action-non-main-branch/blob/other/.github/workflows/scorecard-analysis.yml which has the steps to create an issue if the action fails to run. If the action fails it should create an issue like this #147