🌱 Allow for publish URL override (#811)

* Allow for URL override * Tag a new release * Unit test * Update to internal_publish_base_url
ossf · Aug 18, 2022 · 08dd0ce · 08dd0ce
1 parent 1ae54ed
commit 08dd0ce
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 12 deletions.
diff --git a/action.yaml b/action.yaml
@@ -37,6 +37,11 @@ inputs:
     required: false
     default: false
 
+  internal_publish_base_url:
+    description: "INPUT: Base URL for publishing results. Used for testing."
+    required: false
+    default: "https://api.securityscorecards.dev"
+
   internal_default_token:
     description: "INPUT: Default GitHub token. (Internal purpose only, not intended for developers to set. Used for pull requests configured with a PAT)."
     required: false
@@ -48,4 +53,4 @@ branding:
 
 runs:
   using: "docker"
-  image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-alpha.1"
+  image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-alpha.2"
diff --git a/options/env.go b/options/env.go
@@ -38,11 +38,12 @@ const (
 
 	// TODO(input): INPUT_ constants should be removed in a future release once
 	//              they have replacements in upstream scorecard.
-	EnvInputRepoToken         = "INPUT_REPO_TOKEN"             //nolint:gosec
-	EnvInputInternalRepoToken = "INPUT_INTERNAL_DEFAULT_TOKEN" //nolint:gosec
-	EnvInputResultsFile       = "INPUT_RESULTS_FILE"
-	EnvInputResultsFormat     = "INPUT_RESULTS_FORMAT"
-	EnvInputPublishResults    = "INPUT_PUBLISH_RESULTS"
+	EnvInputRepoToken              = "INPUT_REPO_TOKEN"             //nolint:gosec
+	EnvInputInternalRepoToken      = "INPUT_INTERNAL_DEFAULT_TOKEN" //nolint:gosec
+	EnvInputResultsFile            = "INPUT_RESULTS_FILE"
+	EnvInputResultsFormat          = "INPUT_RESULTS_FORMAT"
+	EnvInputPublishResults         = "INPUT_PUBLISH_RESULTS"
+	EnvInputInternalPublishBaseURL = "INPUT_INTERNAL_PUBLISH_BASE_URL"
 )
 
 // Errors

diff --git a/signing/signing.go b/signing/signing.go
@@ -33,8 +33,6 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 )
 
-const scorecardAPI = "https://api.securityscorecards.dev"
-
 // SignScorecardResult signs the results file and uploads the attestation to the Rekor transparency log.
 func SignScorecardResult(scorecardResultsFile string) error {
 	if err := os.Setenv("COSIGN_EXPERIMENTAL", "true"); err != nil {
@@ -108,10 +106,7 @@ func ProcessSignature(jsonPayload []byte, repoName, repoRef, accessToken string)
 
 	// Call scorecard-webapp-api to process and upload signature.
 	// Setup HTTP request and context.
-	apiURL := scorecardAPI
-	if scorecardURL, exists := os.LookupEnv("SCORECARD_API_URL"); exists {
-		apiURL = scorecardURL
-	}
+	apiURL := os.Getenv(options.EnvInputInternalPublishBaseURL)
 	rawURL := fmt.Sprintf("%s/projects/github.com/%s", apiURL, repoName)
 	parsedURL, err := url.Parse(rawURL)
 	if err != nil {

diff --git a/signing/signing_test.go b/signing/signing_test.go
@@ -19,6 +19,8 @@ package signing
 import (
 	"os"
 	"testing"
+
+	"github.com/ossf/scorecard-action/options"
 )
 
 // TODO: For this test to work, fake the OIDC token retrieval with something like.
@@ -80,6 +82,7 @@ func Test_ProcessSignature(t *testing.T) {
 	repoName := "ossf-tests/scorecard-action"
 	repoRef := "refs/heads/main"
 	accessToken := os.Getenv("GITHUB_AUTH_TOKEN")
+	os.Setenv(options.EnvInputInternalPublishBaseURL, "https://api.securityscorecards.dev")
 
 	if err != nil {
 		t.Errorf("Error reading testdata:, %v", err)