diff --git a/README.md b/README.md index b2fb7be3..c7343354 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,7 @@ If you use a PAT saved as an encrypted secret and the run is still failing, conf If you prefer to manually set up the Scorecards GitHub Action, you will need to set up a [workflow file](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions). -First, [create a new file](https://docs.github.com/en/repositories/working-with-files/managing-files/creating-new-files) in this location: `[yourrepo]/.github/workflows/scorecards-analysis.yml`. Then use the input values below. +First, [create a new file](https://docs.github.com/en/repositories/working-with-files/managing-files/creating-new-files) in this location: `[yourrepo]/.github/workflows/scorecards.yml`. Then use the input values below. ### Inputs diff --git a/cmd/installer/README.md b/cmd/installer/README.md new file mode 100644 index 00000000..3bab2b31 --- /dev/null +++ b/cmd/installer/README.md @@ -0,0 +1,38 @@ +# Scorecard GitHub Action installer + +This tool can add the +[scorecard GitHub Action](https://github.com/ossf/scorecard-action) to all +accessible repositories under a given organization. A pull request will be +created so that owners can decide whether or not they want to include the +workflow. + +## Requirements + +Running this tool requires a Personal Access Token (PAT) with the following scopes: + +- `repo > public_repo` +- `admin:org > read:org` + +Instructions on creating a personal access token can be found +[here](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). + +## Usage + +```console +❯ go run cmd/installer/main.go --help + +The Scorecard GitHub Action installer simplifies the installation of the +scorecard GitHub Action by creating pull requests through the command line. + +Usage: + --owner example_org [--repos ] [flags] + +Flags: + -h, --help help for --owner + --owner string org/owner to install the scorecard action for + --repos strings repositories to install the scorecard action on +``` + +Another PAT should also be defined as an organization secret for +`scorecards.yml` using steps listed in +[scorecard-action](https://github.com/ossf/scorecard-action#pat-token-creation). diff --git a/multi-repo-action/main.go b/cmd/installer/main.go similarity index 100% rename from multi-repo-action/main.go rename to cmd/installer/main.go diff --git a/multi-repo-action/main_test.go b/cmd/installer/main_test.go similarity index 98% rename from multi-repo-action/main_test.go rename to cmd/installer/main_test.go index 36f4bdd8..fb91c2f2 100644 --- a/multi-repo-action/main_test.go +++ b/cmd/installer/main_test.go @@ -19,7 +19,7 @@ package main import ( - "github.com/google/go-github/v42/github" + "github.com/google/go-github/v46/github" ) var client *github.Client diff --git a/entrypoint/entrypoint.go b/entrypoint/entrypoint.go old mode 100755 new mode 100644 index 67f183ca..b08dcb16 --- a/entrypoint/entrypoint.go +++ b/entrypoint/entrypoint.go @@ -81,7 +81,7 @@ func New() (*cobra.Command, error) { actionCmd.PersistentPostRun = func(cmd *cobra.Command, args []string) { if out != nil { if _, err = out.Seek(0, io.SeekStart); err == nil { - // nolint:errcheck + //nolint:errcheck _, _ = io.Copy(stdout, out) } _ = out.Close() diff --git a/github/github.go b/github/github.go index 80ab9667..90acf4ef 100644 --- a/github/github.go +++ b/github/github.go @@ -62,6 +62,11 @@ func (c *Client) SetTransport(rt http.RoundTripper) { c.rt = rt } +// Transport returns the http.RoundTripper for a GitHub client. +func (c *Client) Transport() http.RoundTripper { + return c.rt +} + // SetDefaultTransport sets the scorecard roundtripper for a GitHub client. func (c *Client) SetDefaultTransport() { logger := sclog.NewLogger(sclog.DefaultLevel) diff --git a/go.mod b/go.mod index 24f9b146..fbba8283 100644 --- a/go.mod +++ b/go.mod @@ -5,16 +5,11 @@ go 1.18 require ( github.com/caarlos0/env/v6 v6.9.3 github.com/google/go-cmp v0.5.8 - github.com/google/go-github/v42 v42.0.0 - github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 + github.com/google/go-github/v46 v46.0.0 github.com/ossf/scorecard/v4 v4.6.0 github.com/sigstore/cosign v1.11.0 - github.com/sirupsen/logrus v1.9.0 github.com/spf13/cobra v1.5.0 golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 - golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c - sigs.k8s.io/release-sdk v0.9.2 - sigs.k8s.io/release-utils v0.7.3 ) require ( @@ -36,9 +31,7 @@ require ( github.com/Microsoft/go-winio v0.5.2 // indirect github.com/PaesslerAG/gval v1.0.0 // indirect github.com/PaesslerAG/jsonpath v0.1.1 // indirect - github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect - github.com/acomagu/bufpipe v1.0.3 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/aws/aws-sdk-go-v2 v1.16.11 // indirect github.com/aws/aws-sdk-go-v2/config v1.17.0 // indirect @@ -58,7 +51,6 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/speakeasy v0.1.0 // indirect github.com/blang/semver v3.5.1+incompatible // indirect - github.com/blang/semver/v4 v4.0.0 // indirect github.com/bombsimon/logrusr/v2 v2.0.1 // indirect github.com/bradleyfalzon/ghinstallation/v2 v2.1.0 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect @@ -83,16 +75,12 @@ require ( github.com/docker/docker-credential-helpers v0.6.4 // indirect github.com/dustin/go-humanize v1.0.0 // indirect github.com/emicklei/go-restful v2.9.5+incompatible // indirect - github.com/emirpasic/gods v1.12.0 // indirect github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 // indirect github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect github.com/fatih/color v1.13.0 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/fullstorydev/grpcurl v1.8.6 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect - github.com/go-git/gcfg v1.5.0 // indirect - github.com/go-git/go-billy/v5 v5.3.1 // indirect - github.com/go-git/go-git/v5 v5.4.2 // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.21.2 // indirect @@ -144,14 +132,12 @@ require ( github.com/imdario/mergo v0.3.12 // indirect github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect - github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect github.com/jhump/protoreflect v1.12.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jonboulle/clockwork v0.3.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect github.com/klauspost/compress v1.15.8 // indirect github.com/leodido/go-urn v1.2.1 // indirect github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e // indirect @@ -175,7 +161,6 @@ require ( github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.1 // indirect - github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.12.2 // indirect @@ -189,13 +174,13 @@ require ( github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect - github.com/sergi/go-diff v1.2.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa // indirect github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a // indirect github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect github.com/sigstore/rekor v0.10.0 // indirect github.com/sigstore/sigstore v1.4.0 // indirect + github.com/sirupsen/logrus v1.9.0 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/soheilhy/cmux v0.1.5 // indirect github.com/spf13/afero v1.8.2 // indirect @@ -216,7 +201,6 @@ require ( github.com/urfave/cli v1.22.7 // indirect github.com/vbatts/tar-split v0.11.2 // indirect github.com/xanzy/go-gitlab v0.72.0 // indirect - github.com/xanzy/ssh-agent v0.3.0 // indirect github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect github.com/zeebo/errs v1.2.2 // indirect go.etcd.io/bbolt v1.3.6 // indirect @@ -247,6 +231,7 @@ require ( gocloud.dev v0.26.0 // indirect golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect + golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c // indirect golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect @@ -264,7 +249,6 @@ require ( gopkg.in/ini.v1 v1.66.6 // indirect gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect - gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.24.0 // indirect @@ -275,6 +259,7 @@ require ( k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect mvdan.cc/sh/v3 v3.5.1 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect + sigs.k8s.io/release-utils v0.7.3 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/go.sum b/go.sum index 7ee0e5b0..e4965304 100644 --- a/go.sum +++ b/go.sum @@ -237,8 +237,6 @@ github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8= github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk= github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY= -github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 h1:YoJbenK9C67SkzkDfmQuVln04ygHj3vjZfd9FL+GmQQ= -github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/ReneKroon/ttlcache/v2 v2.11.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= @@ -249,8 +247,6 @@ github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9 github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= -github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk= -github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE= @@ -263,7 +259,6 @@ github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:C github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE= github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= -github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= @@ -285,7 +280,6 @@ github.com/armon/go-metrics v0.4.0 h1:yCQqn7dwca4ITXb+CbubHmedzaQYHhNhrEXLYUeEe8 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= @@ -403,8 +397,6 @@ github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAw github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= -github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/blizzy78/varnamelen v0.3.0/go.mod h1:hbwRdBvoBqxk34XyQ6HA0UH3G0/1TKuv5AC4eaBT0Ec= github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= github.com/bombsimon/logrusr/v2 v2.0.1 h1:1VgxVNQMCvjirZIYaT9JYn6sAVGVEcNtRE0y4mvaOAM= @@ -669,7 +661,6 @@ github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkg github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -738,21 +729,11 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= github.com/gin-gonic/gin v1.7.3/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY= -github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-critic/go-critic v0.6.1/go.mod h1:SdNCfU0yF3UBjtaZGw6586/WocupMOJuiqgom5DsQxM= -github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4= -github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E= -github.com/go-git/go-billy/v5 v5.2.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= -github.com/go-git/go-billy/v5 v5.3.1 h1:CPiOUAzKtMRvolEKw+bG1PLRpT7D3LIs3/3ey4Aiu34= -github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= -github.com/go-git/go-git-fixtures/v4 v4.2.1 h1:n9gGL1Ct/yIw+nfsfr8s4+sbhT+Ncu2SubfXjIWgci8= -github.com/go-git/go-git-fixtures/v4 v4.2.1/go.mod h1:K8zd3kDUAykwTdDCr+I0per6Y6vMiRR/nnVTBtavnB0= -github.com/go-git/go-git/v5 v5.4.2 h1:BXyZu9t0VkbiHtqrsvdq39UDhGJTl1h55VW6CSC4aY4= -github.com/go-git/go-git/v5 v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -1002,10 +983,10 @@ github.com/google/go-containerregistry v0.11.0/go.mod h1:BBaYtsHPHA42uEgAvd/Nejv github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= github.com/google/go-github/v38 v38.1.0 h1:C6h1FkaITcBFK7gAmq4eFzt6gbhEhk7L5z6R3Uva+po= github.com/google/go-github/v38 v38.1.0/go.mod h1:cStvrz/7nFr0FoENgG6GLbp53WaelXucT+BBz/3VKx4= -github.com/google/go-github/v42 v42.0.0 h1:YNT0FwjPrEysRkLIiKuEfSvBPCGKphW5aS5PxwaoLec= -github.com/google/go-github/v42 v42.0.0/go.mod h1:jgg/jvyI0YlDOM1/ps6XYh04HNQ3vKf0CVko62/EhRg= github.com/google/go-github/v45 v45.2.0 h1:5oRLszbrkvxDDqBCNj2hjDZMKmvexaZ1xw/FCD+K3FI= github.com/google/go-github/v45 v45.2.0/go.mod h1:FObaZJEDSTa/WGCzZ2Z3eoCDXWJKMenWWTrd8jrta28= +github.com/google/go-github/v46 v46.0.0 h1:5TZiEw0Is5D9CPld0TSLPjShGr42L7PoyhUSl6KPMKM= +github.com/google/go-github/v46 v46.0.0/go.mod h1:l+/Ml209okuXUAjbvFnGZ2ntokVAhTtXvYWP8Di7OpU= github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -1112,7 +1093,6 @@ github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= @@ -1291,13 +1271,11 @@ github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0f github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= -github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b h1:ZGiXF8sz7PDk6RgkP+A/SFfUD0ZR/AgG6SpRNEDKZy8= github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b/go.mod h1:hQmNrgofl+IY/8L+n20H6E6PWBBTokdsv+q49j0QhsU= github.com/jellydator/ttlcache/v2 v2.11.1 h1:AZGME43Eh2Vv3giG6GeqeLeFXxwxn1/qHItqWZl6U64= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= -github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= @@ -1350,8 +1328,6 @@ github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= -github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 h1:DowS9hvgyYSX4TO5NpyC606/Z4SxnNYbT+WX27or6Ck= -github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -1429,8 +1405,6 @@ github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsI github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho= github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s= -github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= -github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE= github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= @@ -1658,7 +1632,6 @@ github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU= github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= -github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= @@ -1806,7 +1779,6 @@ github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= @@ -2009,8 +1981,6 @@ github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfD github.com/xanzy/go-gitlab v0.72.0 h1:/9BQTftUE7GRK/RO1eeWxG1cOE+tjwBrvRdpkeSOq6w= github.com/xanzy/go-gitlab v0.72.0/go.mod h1:d/a0vswScO7Agg1CZNz15Ic6SSvBG9vfw8egL99t4kA= github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= -github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI= -github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= @@ -2345,7 +2315,6 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= -golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= @@ -2529,7 +2498,6 @@ golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210503080704-8803ae5d1324/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -3041,7 +3009,6 @@ gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzW gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -3131,8 +3098,6 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyz sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= -sigs.k8s.io/release-sdk v0.9.2 h1:DZSMGGYCQiatlH+eiCo+ARgH1MZZ+NbfWoLgY5Zw3bA= -sigs.k8s.io/release-sdk v0.9.2/go.mod h1:SLh9J+4RgNDE/yRER5Wd/QdsAxds1DYklpkCqztoOBw= sigs.k8s.io/release-utils v0.7.3 h1:6pS8x6c5RmdUgR9qcg1LO6hjUzuE4Yo9TGZ3DemrZdM= sigs.k8s.io/release-utils v0.7.3/go.mod h1:n0mVez/1PZYZaZUTJmxewxH3RJ/Lf7JUDh7TG1CASOE= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= diff --git a/install/github/github.go b/install/github/github.go index 403bff7c..32cfc987 100644 --- a/install/github/github.go +++ b/install/github/github.go @@ -19,181 +19,44 @@ package github import ( "context" "fmt" + "log" "net/http" - "os" - "path/filepath" - "strings" - "github.com/google/go-github/v42/github" - "github.com/gregjones/httpcache" - "github.com/gregjones/httpcache/diskcache" - "github.com/sirupsen/logrus" - "golang.org/x/oauth2" - kgh "sigs.k8s.io/release-sdk/github" - "sigs.k8s.io/release-utils/env" -) - -// From https://github.com/kubernetes-sigs/release-sdk/blob/e23d2c82bbb41a007cdf019c30930e8fd2649c01/github/github.go - -// GitHub is a wrapper around GitHub related functionality. -type GitHub struct { - client Client - options *Options -} - -// Client is an interface modeling supported GitHub operations. -type Client interface { - // TODO(install): Populate interface - CreateFile( - context.Context, string, string, string, *github.RepositoryContentFileOptions, - ) (*github.RepositoryContentResponse, *github.Response, error) - CreateGitRef( - context.Context, string, string, *github.Reference, - ) (*github.Reference, *github.Response, error) - CreatePullRequest( - context.Context, string, string, string, string, string, string, - ) (*github.PullRequest, error) - GetBranch( - context.Context, string, string, string, bool, - ) (*github.Branch, *github.Response, error) - GetContents( - context.Context, string, string, string, *github.RepositoryContentGetOptions, - ) (*github.RepositoryContent, []*github.RepositoryContent, *github.Response, error) - GetRepositoriesByOrg( - context.Context, string, - ) ([]*github.Repository, *github.Response, error) - GetRepository( - context.Context, string, string, - ) (*github.Repository, *github.Response, error) -} + gogh "github.com/google/go-github/v46/github" -// Options is a set of options to configure the behavior of the GitHub package. -type Options struct { - // How many items to request in calls to the github API - // that require pagination. - ItemsPerPage int -} + "github.com/ossf/scorecard-action/github" +) -// GetItemsPerPage // TODO(github): needs comment. -func (o *Options) GetItemsPerPage() int { - return o.ItemsPerPage +// Client is a wrapper around GitHub-related functionality. +type Client struct { + *gogh.Client } -// DefaultOptions return an options struct with commonly used settings. -func DefaultOptions() *Options { - return &Options{ - ItemsPerPage: 50, +// New returns a new GitHub client. +func New(ctx context.Context) *Client { + c := github.NewClient(ctx) + hc := &http.Client{ + Transport: c.Transport(), } -} - -// SetClient can be used to manually set the internal GitHub client. -func (g *GitHub) SetClient(client Client) { - g.client = client -} + gh := gogh.NewClient(hc) + client := &Client{gh} -// Client can be used to retrieve the Client type. -func (g *GitHub) Client() Client { - return g.client -} - -// SetOptions gets an options set for the GitHub object. -func (g *GitHub) SetOptions(opts *Options) { - g.options = opts -} - -// Options return a pointer to the options struct. -func (g *GitHub) Options() *Options { - return g.options -} - -// TODO: we should clean up the functions listed below and agree on the same -// return type (with or without error): -// - New -// - NewWithToken -// - NewEnterprise -// - NewEnterpriseWithToken - -// New creates a new default GitHub client. Tokens set via the $GITHUB_TOKEN -// environment variable will result in an authenticated client. -// If the $GITHUB_TOKEN is not set, then the client will do unauthenticated -// GitHub requests. -func New() *GitHub { - token := env.Default(kgh.TokenEnvKey, "") - client, _ := NewWithToken(token) // nolint: errcheck return client } -// NewWithToken can be used to specify a GitHub token through parameters. -// Empty string will result in unauthenticated client, which makes -// unauthenticated requests. -func NewWithToken(token string) (*GitHub, error) { - ctx := context.Background() - client := http.DefaultClient - state := "unauthenticated" - if token != "" { - state = strings.TrimPrefix(state, "un") - client = oauth2.NewClient(ctx, oauth2.StaticTokenSource( - &oauth2.Token{AccessToken: token}, - )) - } - cacheDir, err := os.UserCacheDir() - if err != nil { - logrus.Infof("Unable to retrieve user cache dir: %v", err) - cacheDir = os.TempDir() - } - dir := filepath.Join(cacheDir, "kubernetes", "release-sdk", "github") - logrus.Debugf("Caching GitHub responses in %v", dir) - t := httpcache.NewTransport(diskcache.New(dir)) - client.Transport = t.Transport +// Modeled after +// https://github.com/kubernetes-sigs/release-sdk/blob/e23d2c82bbb41a007cdf019c30930e8fd2649c01/github/github.go - logrus.Debugf("Using %s GitHub client", state) - return &GitHub{ - client: &githubClient{github.NewClient(client)}, - options: DefaultOptions(), - }, nil -} - -// NewEnterprise // TODO(github): needs comment. -func NewEnterprise(baseURL, uploadURL string) (*GitHub, error) { - token := env.Default(kgh.TokenEnvKey, "") - return NewEnterpriseWithToken(baseURL, uploadURL, token) -} - -// NewEnterpriseWithToken // TODO(github): needs comment. -func NewEnterpriseWithToken(baseURL, uploadURL, token string) (*GitHub, error) { - ctx := context.Background() - client := http.DefaultClient - state := "unauthenticated" - if token != "" { - state = strings.TrimPrefix(state, "un") - client = oauth2.NewClient(ctx, oauth2.StaticTokenSource( - &oauth2.Token{AccessToken: token}, - )) - } - logrus.Debugf("Using %s Enterprise GitHub client", state) - ghclient, err := github.NewEnterpriseClient(baseURL, uploadURL, client) - if err != nil { - return nil, fmt.Errorf("failed to new github client: %w", err) - } - return &GitHub{ - client: &githubClient{ghclient}, - options: DefaultOptions(), - }, nil -} - -type githubClient struct { - *github.Client -} - -func (g *githubClient) GetRepositoriesByOrg( +// GetRepositoriesByOrg // TODO(lint): Needs a comment. +func (c *Client) GetRepositoriesByOrg( ctx context.Context, owner string, -) ([]*github.Repository, *github.Response, error) { - repos, resp, err := g.Repositories.ListByOrg( +) ([]*gogh.Repository, *gogh.Response, error) { + repos, resp, err := c.Repositories.ListByOrg( ctx, owner, // TODO(install): Does this need to parameterized? - &github.RepositoryListByOrgOptions{ + &gogh.RepositoryListByOrgOptions{ Type: "all", }, ) @@ -204,12 +67,13 @@ func (g *githubClient) GetRepositoriesByOrg( return repos, resp, nil } -func (g *githubClient) GetRepository( +// GetRepository // TODO(lint): Needs a comment. +func (c *Client) GetRepository( ctx context.Context, owner, repo string, -) (*github.Repository, *github.Response, error) { - pr, resp, err := g.Repositories.Get(ctx, owner, repo) +) (*gogh.Repository, *gogh.Response, error) { + pr, resp, err := c.Repositories.Get(ctx, owner, repo) if err != nil { return pr, resp, fmt.Errorf("getting repository: %w", err) } @@ -217,15 +81,16 @@ func (g *githubClient) GetRepository( return pr, resp, nil } -func (g *githubClient) GetBranch( +// GetBranch // TODO(lint): Needs a comment. +func (c *Client) GetBranch( ctx context.Context, owner, repo, branch string, followRedirects bool, -) (*github.Branch, *github.Response, error) { +) (*gogh.Branch, *gogh.Response, error) { // TODO: Revisit logic and simplify returns, where possible. - b, resp, err := g.Repositories.GetBranch( + b, resp, err := c.Repositories.GetBranch( ctx, owner, repo, @@ -239,15 +104,16 @@ func (g *githubClient) GetBranch( return b, resp, nil } -func (g *githubClient) GetContents( +// GetContents // TODO(lint): Needs a comment. +func (c *Client) GetContents( ctx context.Context, owner, repo, path string, - opts *github.RepositoryContentGetOptions, -) (*github.RepositoryContent, []*github.RepositoryContent, *github.Response, error) { + opts *gogh.RepositoryContentGetOptions, +) (*gogh.RepositoryContent, []*gogh.RepositoryContent, *gogh.Response, error) { // TODO: Revisit logic and simplify returns, where possible. - file, dir, resp, err := g.Repositories.GetContents( + file, dir, resp, err := c.Repositories.GetContents( ctx, owner, repo, @@ -261,14 +127,15 @@ func (g *githubClient) GetContents( return file, dir, resp, nil } -func (g *githubClient) CreateGitRef( +// CreateGitRef // TODO(lint): Needs a comment. +func (c *Client) CreateGitRef( ctx context.Context, owner, repo string, - ref *github.Reference, -) (*github.Reference, *github.Response, error) { + ref *gogh.Reference, +) (*gogh.Reference, *gogh.Response, error) { // TODO: Revisit logic and simplify returns, where possible. - gRef, resp, err := g.Git.CreateRef( + gRef, resp, err := c.Git.CreateRef( ctx, owner, repo, @@ -281,15 +148,16 @@ func (g *githubClient) CreateGitRef( return gRef, resp, nil } -func (g *githubClient) CreateFile( +// CreateFile // TODO(lint): Needs a comment. +func (c *Client) CreateFile( ctx context.Context, owner, repo, path string, - opts *github.RepositoryContentFileOptions, -) (*github.RepositoryContentResponse, *github.Response, error) { + opts *gogh.RepositoryContentFileOptions, +) (*gogh.RepositoryContentResponse, *gogh.Response, error) { // TODO: Revisit logic and simplify returns, where possible. - repoContentResp, resp, err := g.Repositories.CreateFile( + repoContentResp, resp, err := c.Repositories.CreateFile( ctx, owner, repo, @@ -303,7 +171,8 @@ func (g *githubClient) CreateFile( return repoContentResp, resp, nil } -func (g *githubClient) CreatePullRequest( +// CreatePullRequest // TODO(lint): Needs a comment. +func (c *Client) CreatePullRequest( ctx context.Context, owner, repo, @@ -311,20 +180,51 @@ func (g *githubClient) CreatePullRequest( headBranchName, title, body string, -) (*github.PullRequest, error) { - newPullRequest := &github.NewPullRequest{ +) (*gogh.PullRequest, error) { + newPullRequest := &gogh.NewPullRequest{ Title: &title, Head: &headBranchName, Base: &baseBranchName, Body: &body, - MaintainerCanModify: github.Bool(true), + MaintainerCanModify: gogh.Bool(true), } - pr, _, err := g.PullRequests.Create(ctx, owner, repo, newPullRequest) + pr, _, err := c.PullRequests.Create(ctx, owner, repo, newPullRequest) if err != nil { return pr, fmt.Errorf("creating pull request: %w", err) } - logrus.Infof("Successfully created PR #%d", pr.GetNumber()) + log.Printf( + "successfully created PR #%d for repository %s: %s", + pr.GetNumber(), + repo, + pr.GetHTMLURL(), + ) + return pr, nil } + +// CreateGitRefOptions // TODO(lint): Needs a comment. +func CreateGitRefOptions(ref string, sha *string) *gogh.Reference { + return &gogh.Reference{ + Ref: gogh.String(ref), + Object: &gogh.GitObject{SHA: sha}, + } +} + +// CreateRepositoryContentFileOptions // TODO(lint): Needs a comment. +func CreateRepositoryContentFileOptions( + content []byte, + msg, branch string, +) *gogh.RepositoryContentFileOptions { + return &gogh.RepositoryContentFileOptions{ + Message: gogh.String(msg), + Content: content, + Branch: gogh.String(branch), + } +} + +// CreateRepositoryContentGetOptions // TODO(lint): Needs a comment. +func CreateRepositoryContentGetOptions() *gogh.RepositoryContentGetOptions { + return &gogh.RepositoryContentGetOptions{} +} diff --git a/install/install.go b/install/install.go index 90786e0b..2074a5d0 100644 --- a/install/install.go +++ b/install/install.go @@ -21,32 +21,38 @@ import ( "fmt" "log" "os" + "path" - "github.com/google/go-github/v42/github" - - scagh "github.com/ossf/scorecard-action/install/github" + "github.com/ossf/scorecard-action/install/github" "github.com/ossf/scorecard-action/install/options" ) const ( - workflowFile = ".github/workflows/scorecards.yml" - workflowFileDeprecated = ".github/workflows/scorecards-analysis.yml" + commitMessage = ".github: Add scorecard workflow" + pullRequestBranch = "scorecard-action-install" + workflowBase = ".github/workflows" + workflowFile = "scorecards.yml" + workflowFileDeprecated = "scorecards-analysis.yml" ) -var workflowFiles = []string{ - workflowFile, - workflowFileDeprecated, -} +var ( + branchReference = fmt.Sprintf("refs/heads/%s", pullRequestBranch) + pullRequestDescription = `This pull request was generated using the installer tool for scorecard's GitHub Action. + +To report any issues with this tool, see [here](https://github.com/ossf/scorecard-action). +` + + pullRequestTitle = commitMessage + workflowFiles = []string{ + path.Join(workflowBase, workflowFile), + path.Join(workflowBase, workflowFileDeprecated), + } +) // Run adds the OpenSSF Scorecard workflow to all repositories under the given // organization. // TODO(install): Improve description. // TODO(install): Accept a context instead of setting one. -// TODO(lint): cognitive complexity 31 of func `Run` is high (> 30) (gocognit). -// -// TODO(lint): cognitive complexity 31 of func `Run` is high (> 30) (gocognit). -// -//nolint:gocognit func Run(o *options.Options) error { err := o.Validate() if err != nil { @@ -55,12 +61,12 @@ func Run(o *options.Options) error { // Get github user client. ctx := context.Background() - gh := scagh.New() - client := gh.Client() + gh := github.New(ctx) // If not provided, get all repositories under organization. if len(o.Repositories) == 0 { - repos, _, err := client.GetRepositoriesByOrg(ctx, o.Owner) + log.Print("No repositories provided. Fetching all repositories under organization.") + repos, _, err := gh.GetRepositoriesByOrg(ctx, o.Owner) if err != nil { return fmt.Errorf("getting repos for owner (%s): %w", o.Owner, err) } @@ -80,141 +86,155 @@ func Run(o *options.Options) error { // Process each repository. // TODO: Capture repo access errors for _, repoName := range o.Repositories { - // Get repo metadata. - repo, _, err := client.GetRepository(ctx, o.Owner, repoName) + log.Printf("Processing repository: %s", repoName) + err := processRepo(ctx, gh, o.Owner, repoName, workflowContent) if err != nil { - log.Printf( - "skipped repo (%s) because it does not exist or could not be accessed: %+v", - repoName, - err, - ) - - continue + log.Printf("processing repository: %+v", err) } - // Get head commit SHA of default branch. - // TODO: Capture branch access errors - defaultBranch, _, err := client.GetBranch( - ctx, - o.Owner, + log.Printf( + "finished processing repository %s", repoName, - *repo.DefaultBranch, - true, ) - if err != nil { - log.Printf( - "skipped repo (%s) because its default branch could not be accessed: %+v", - repoName, - err, - ) + } - continue - } + return nil +} + +func processRepo( + ctx context.Context, + gh *github.Client, + owner, repoName string, + workflowContent []byte, +) error { + // Get repo metadata. + log.Printf("getting repo metadata for %s", repoName) + repo, _, err := gh.GetRepository(ctx, owner, repoName) + if err != nil { + return fmt.Errorf( + "getting repository: %w", + err, + ) + } - defaultBranchSHA := defaultBranch.Commit.SHA + // Get head commit SHA of default branch. + // TODO: Capture branch access errors + defaultBranch, _, err := gh.GetBranch( + ctx, + owner, + repoName, + *repo.DefaultBranch, + true, + ) + if err != nil { + return fmt.Errorf( + "getting default branch for %s: %w", + repoName, + err, + ) + } + + defaultBranchSHA := defaultBranch.Commit.SHA - // Skip if scorecard file already exists in workflows folder. - for _, f := range workflowFiles { - scoreFileContent, _, _, err := client.GetContents( - ctx, - o.Owner, + // Skip if scorecard file already exists in workflows folder. + workflowExists := false + for i, f := range workflowFiles { + log.Printf( + "checking for scorecard workflow file (%s)", + f, + ) + scoreFileContent, _, _, err := gh.GetContents( + ctx, + owner, + repoName, + f, + github.CreateRepositoryContentGetOptions(), + ) + if scoreFileContent != nil { + log.Printf( + "skipping repo (%s) since scorecard workflow already exists: %s", repoName, f, - &github.RepositoryContentGetOptions{}, ) - if scoreFileContent != nil || err == nil { - log.Printf( - "skipped repo (%s) since scorecard workflow already exists", - repoName, - ) - - continue - } + + workflowExists = true + break + } + if err != nil && i == len(workflowFiles)-1 { + log.Printf("could not find a scorecard workflow file: %+v", err) } + } + if !workflowExists { // Skip if branch scorecard already exists. - scorecardBranch, _, err := client.GetBranch( + scorecardBranch, _, err := gh.GetBranch( ctx, - o.Owner, + owner, repoName, - "scorecard", + pullRequestBranch, true, ) if scorecardBranch != nil || err == nil { log.Printf( - "skipped repo (%s) since the scorecard branch already exists", + "skipping repo (%s) since the scorecard action installation branch already exists", repoName, ) - continue + return nil } // Create new branch using a reference that stores the new commit hash. // TODO: Capture ref creation errors - ref := &github.Reference{ - Ref: github.String("refs/heads/scorecard"), - Object: &github.GitObject{SHA: defaultBranchSHA}, - } - _, _, err = client.CreateGitRef(ctx, o.Owner, repoName, ref) + ref := github.CreateGitRefOptions(branchReference, defaultBranchSHA) + _, _, err = gh.CreateGitRef(ctx, owner, repoName, ref) if err != nil { - log.Printf( - "skipped repo (%s) because new branch could not be created: %+v", + return fmt.Errorf( + "creating scorecard action installation branch for %s: %w", repoName, err, ) - - continue } // Create file in repository. // TODO: Capture file creation errors - opts := &github.RepositoryContentFileOptions{ - Message: github.String("Adding scorecard workflow"), - Content: workflowContent, - Branch: github.String("scorecard"), - } - _, _, err = client.CreateFile( + opts := github.CreateRepositoryContentFileOptions( + workflowContent, + commitMessage, + pullRequestBranch, + ) + _, _, err = gh.CreateFile( ctx, - o.Owner, + owner, repoName, workflowFile, opts, ) if err != nil { - log.Printf( - "skipped repo (%s) because new file could not be created: %+v", + return fmt.Errorf( + "creating scorecard workflow file for %s: %w", repoName, err, ) - - continue } // Create pull request. // TODO: Capture pull request creation errors - _, err = client.CreatePullRequest( + _, err = gh.CreatePullRequest( ctx, - o.Owner, + owner, repoName, *defaultBranch.Name, - "scorecard", - "Added Scorecard Workflow", - "Added the workflow for OpenSSF's Security Scorecard", + pullRequestBranch, + pullRequestTitle, + pullRequestDescription, ) if err != nil { - log.Printf( - "skipped repo (%s) because pull request could not be created: %+v", + return fmt.Errorf( + "creating pull request for %s: %w", repoName, err, ) - - continue } - - log.Printf( - "Created a pull request to add the scorecard workflow to %s", - repoName, - ) } return nil diff --git a/multi-repo-action/README.md b/multi-repo-action/README.md deleted file mode 100644 index af79026a..00000000 --- a/multi-repo-action/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Enable OSSF Scorecard Action at an Organization Level - Work In Progress and is not Production Ready - -This tool will add the [OpenSSF's Scorecard workflow](https://github.com/ossf/scorecard-action) to all accessible repositories under a given organization. A PR will be created so that owners can decide whether or not they want to include the workflow. - -## Setup - -Running this tool requires three parameters, which are defined at the top of `org-workflow-add.go`: -1. ORG_NAME - the name of the organization for which the workflow should be enabled. -2. PAT - a Personal Access Token with the following scopes: - - `repo > public_repo` - - `admin:org > read:org` -3. REPO_LIST (OPTIONAL) - repository names under the organization that the workflow should be added to. If not provided, every repository will be updated. - -Another PAT should also be defined as an organization secret for `scorecards-analysis.yml` using steps listed in [scorecard-action](https://github.com/ossf/scorecard-action#pat-token-creation). - -## Execution - -Execute this process by running `go run org-workflow-add.go` in the command line. Output will be produced for each successfully updated repository. diff --git a/signing/signing.go b/signing/signing.go index dba2614d..898b40f3 100644 --- a/signing/signing.go +++ b/signing/signing.go @@ -27,10 +27,11 @@ import ( "os" "time" - "github.com/ossf/scorecard-action/entrypoint" //nolint - "github.com/ossf/scorecard-action/options" sigOpts "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/cmd/cosign/cli/sign" + + "github.com/ossf/scorecard-action/entrypoint" + "github.com/ossf/scorecard-action/options" ) // SignScorecardResult signs the results file and uploads the attestation to the Rekor transparency log.