[WIP] cmd/installer: Cleanups (2/n) (#833)

- go.mod: Update to github.com/google/go-github/v46
- install/github: Comment out GitHub client code
- install/github: Use scorecard roundtripper for authentication
- install/github: Restore commented-out code
- Fix lint warnings
- install: Skip workflow creation if file already exists
- install: Don't block PR creation if the workflow file does not exist
- install/github: Reference pull request link in log message
- install: Parameterize method inputs
- install: Improve pull request description
- Move repo installation tool to cmd/ directory
- cmd/installer: Update installation instructions
- install: Improve log messages
- install: Restructure `Run()` function to reduce cognitive complexity
- install/github: Add functions for generating GitHub API options

Signed-off-by: Stephen Augustus <foo@auggie.dev>

README.md

@@ -148,7 +148,7 @@ If you use a PAT saved as an encrypted secret and the run is still failing, conf
 
 If you prefer to manually set up the Scorecards GitHub Action, you will need to set up a [workflow file](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions).
 
-First, [create a new file](https://docs.github.com/en/repositories/working-with-files/managing-files/creating-new-files) in this location: `[yourrepo]/.github/workflows/scorecards-analysis.yml`. Then use the input values below.
+First, [create a new file](https://docs.github.com/en/repositories/working-with-files/managing-files/creating-new-files) in this location: `[yourrepo]/.github/workflows/scorecards.yml`. Then use the input values below.
 
 
 ### Inputs

cmd/installer/README.md

@@ -0,0 +1,38 @@
+# Scorecard GitHub Action installer
+
+This tool can add the
+[scorecard GitHub Action](https://github.com/ossf/scorecard-action) to all
+accessible repositories under a given organization. A pull request will be
+created so that owners can decide whether or not they want to include the
+workflow.
+
+## Requirements
+
+Running this tool requires a Personal Access Token (PAT) with the following scopes:
+
+- `repo > public_repo`
+- `admin:org > read:org`
+
+Instructions on creating a personal access token can be found
+[here](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
+
+## Usage
+
+```console
+❯ go run cmd/installer/main.go --help
+
+The Scorecard GitHub Action installer simplifies the installation of the
+scorecard GitHub Action by creating pull requests through the command line.
+
+Usage:
+  --owner example_org [--repos <repo1,repo2,repo3>] [flags]
+
+Flags:
+  -h, --help            help for --owner
+      --owner string    org/owner to install the scorecard action for
+      --repos strings   repositories to install the scorecard action on
+```
+
+Another PAT should also be defined as an organization secret for
+`scorecards.yml` using steps listed in
+[scorecard-action](https://github.com/ossf/scorecard-action#pat-token-creation).

multi-repo-action/main_test.go → cmd/installer/main_test.go

@@ -19,7 +19,7 @@
 package main
 
 import (
-	"github.com/google/go-github/v42/github"
+	"github.com/google/go-github/v46/github"
 )
 
 var client *github.Client

entrypoint/entrypoint.go

@@ -81,7 +81,7 @@ func New() (*cobra.Command, error) {
 	actionCmd.PersistentPostRun = func(cmd *cobra.Command, args []string) {
 		if out != nil {
 			if _, err = out.Seek(0, io.SeekStart); err == nil {
-				// nolint:errcheck
+				//nolint:errcheck
 				_, _ = io.Copy(stdout, out)
 			}
 			_ = out.Close()

github/github.go

@@ -62,6 +62,11 @@ func (c *Client) SetTransport(rt http.RoundTripper) {
 	c.rt = rt
 }
 
+// Transport returns the http.RoundTripper for a GitHub client.
+func (c *Client) Transport() http.RoundTripper {
+	return c.rt
+}
+
 // SetDefaultTransport sets the scorecard roundtripper for a GitHub client.
 func (c *Client) SetDefaultTransport() {
 	logger := sclog.NewLogger(sclog.DefaultLevel)

go.mod

@@ -5,16 +5,11 @@ go 1.18
 require (
 	github.com/caarlos0/env/v6 v6.9.3
 	github.com/google/go-cmp v0.5.8
-	github.com/google/go-github/v42 v42.0.0
-	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
+	github.com/google/go-github/v46 v46.0.0
 	github.com/ossf/scorecard/v4 v4.6.0
 	github.com/sigstore/cosign v1.11.0
-	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cobra v1.5.0
 	golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48
-	golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c
-	sigs.k8s.io/release-sdk v0.9.2
-	sigs.k8s.io/release-utils v0.7.3
 )
 
 require (
@@ -36,9 +31,7 @@ require (
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/PaesslerAG/gval v1.0.0 // indirect
 	github.com/PaesslerAG/jsonpath v0.1.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aws/aws-sdk-go-v2 v1.16.11 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.17.0 // indirect
@@ -58,7 +51,6 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bombsimon/logrusr/v2 v2.0.1 // indirect
 	github.com/bradleyfalzon/ghinstallation/v2 v2.1.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
@@ -83,16 +75,12 @@ require (
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/fullstorydev/grpcurl v1.8.6 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.3.1 // indirect
-	github.com/go-git/go-git/v5 v5.4.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.2 // indirect
@@ -144,14 +132,12 @@ require (
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
 	github.com/jhump/protoreflect v1.12.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jonboulle/clockwork v0.3.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
 	github.com/klauspost/compress v1.15.8 // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e // indirect
@@ -175,7 +161,6 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
-	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
@@ -189,13 +174,13 @@ require (
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
-	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa // indirect
 	github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a // indirect
 	github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect
 	github.com/sigstore/rekor v0.10.0 // indirect
 	github.com/sigstore/sigstore v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/spf13/afero v1.8.2 // indirect
@@ -216,7 +201,6 @@ require (
 	github.com/urfave/cli v1.22.7 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/xanzy/go-gitlab v0.72.0 // indirect
-	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	github.com/zeebo/errs v1.2.2 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
@@ -247,6 +231,7 @@ require (
 	gocloud.dev v0.26.0 // indirect
 	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
 	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
 	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
@@ -264,7 +249,6 @@ require (
 	gopkg.in/ini.v1 v1.66.6 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.24.0 // indirect
@@ -275,6 +259,7 @@ require (
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
 	mvdan.cc/sh/v3 v3.5.1 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	sigs.k8s.io/release-utils v0.7.3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )