🌱 Bump docker tag for new release.

[spencerschrock]

Signed-off-by: Spencer Schrock sschrock@google.com

I've manually tested the action, as the steps in RELEASE.md don't actually test any new changes since the docker image is pinned to a version.

I've tested with this command and confirmed the original bug (ossf/scorecard#2557) is fixed.

docker run -e INPUT_REPO_TOKEN="$GITHUB_AUTH_TOKEN" \
    -e INPUT_POLICY_FILE="/policy.yml" \
    -e INPUT_RESULTS_FORMAT="sarif" \
    -e INPUT_RESULTS_FILE="results.sarif" \
    -e INPUT_PUBLISH_RESULTS="false" \
    -e GITHUB_WORKSPACE="/github/workflow" \
    -e GITHUB_REF="refs/heads/main" \
    -e GITHUB_EVENT_NAME="branch_protection_rule" \
    -e GITHUB_EVENT_PATH="/testdata/test.json" \
    -e GITHUB_REPOSITORY="nginxinc/nginx-kubernetes-gateway" \
    -e GITHUB_API_URL="https://api.github.com/" \
    -v $PWD:/github/workflow \
    gcr.io/openssf/scorecard-action:latest

[laurentsimon]

I think the RELEASE.md needs to move the section on testing to after the section on updating the tag.

[codecov]

Codecov Report

Merging #1055 (3670aca) into main (7da02bf) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1055   +/-   ##
=======================================
  Coverage   62.94%   62.94%           
=======================================
  Files           4        4           
  Lines         251      251           
=======================================
  Hits          158      158           
  Misses         77       77           
  Partials       16       16           

[spencerschrock]

I think the RELEASE.md needs to move the section on testing to after we've updated the tag

Until the release happens, the newly tagged Docker image won't exist. So doing it after the tag but before the release also won't work.

I think we need a test version of action.yaml which uses gcr.io/openssf/scorecard-action:latest

[laurentsimon]

I think the RELEASE.md needs to move the section on testing to after we've updated the tag

Until the release happens, the newly tagged Docker image won't exist. So doing it after the tag but before the release also won't work.

Yeah, I meant after release as well. But too late if it's broken.

I think we need a test version of action.yaml which uses gcr.io/openssf/scorecard-action:latest

What is latest in this case? It still points to an old Action release, does it not?

Or we need to cut a v1.2.3-rc and use that instead to test before the actual release?

[spencerschrock]

I think we need a test version of action.yaml which uses gcr.io/openssf/scorecard-action:latest

What is latest in this case? It still points to an old Action release, does it not?

Or we need to cut a v1.2.3-rc and use that instead to test before the actual release?

So right now RELEASE.md mentions a manual dispatch of scorecards.yml which calls our public action.yaml

scorecard-action/.github/workflows/scorecards.yml

Lines 23 to 26 in e38b190

	# This is a pre-submit / pre-release.
	- name: "Run analysis"
	uses: ossf/scorecard-action@main
	with:

But ossf/scorecard-action@main is pinned to a specific docker version, so it will always run an old docker release:

scorecard-action/action.yaml

Lines 54 to 56 in e38b190

	runs:
	using: "docker"
	image: "docker://gcr.io/openssf/scorecard-action:v2.1.2"

I think we need to change our test version ofscorecards.yml to use a private action which references the latest docker image, which will have the changes we're trying to test. We need to setup a private action which has the following lines

runs:
  using: "docker"
  image: "docker://gcr.io/openssf/scorecard-action:latest"