From 8efe025f70a29a99f45a21ce79da27daec4d8728 Mon Sep 17 00:00:00 2001
From: Azeem Shaikh <azeemshaikh38@gmail.com>
Date: Mon, 15 Aug 2022 12:40:59 -0400
Subject: [PATCH] Create a new release v2.0.0-alpha.1 (#803)

---
 action.yaml        | 4 +---
 signing/signing.go | 8 +++++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/action.yaml b/action.yaml
index fca85f3f..d5e86fd0 100644
--- a/action.yaml
+++ b/action.yaml
@@ -48,6 +48,4 @@ branding:
 
 runs:
   using: "docker"
-  image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-beta.1"
-
-
+  image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-alpha.1"
diff --git a/signing/signing.go b/signing/signing.go
index 9590b44a..4c2478b1 100644
--- a/signing/signing.go
+++ b/signing/signing.go
@@ -33,6 +33,8 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 )
 
+const scorecardAPI = "https://api.securityscorecards.dev"
+
 // SignScorecardResult signs the results file and uploads the attestation to the Rekor transparency log.
 func SignScorecardResult(scorecardResultsFile string) error {
 	if err := os.Setenv("COSIGN_EXPERIMENTAL", "true"); err != nil {
@@ -106,7 +108,11 @@ func ProcessSignature(jsonPayload []byte, repoName, repoRef, accessToken string)
 
 	// Call scorecard-webapp-api to process and upload signature.
 	// Setup HTTP request and context.
-	rawURL := fmt.Sprintf("https://api.securityscorecards.dev/projects/github.com/%s", repoName)
+	apiURL := scorecardAPI
+	if scorecardURL, exists := os.LookupEnv("SCORECARD_API_URL"); exists {
+		apiURL = scorecardURL
+	}
+	rawURL := fmt.Sprintf("%s/projects/github.com/%s", apiURL, repoName)
 	parsedURL, err := url.Parse(rawURL)
 	if err != nil {
 		return fmt.Errorf("parsing Scorecard API endpoint: %w", err)