✨ use GITHUB_TOKEN when repo_token is empty on PRs

action.yaml

@@ -37,6 +37,11 @@ inputs:
     required: false
     default: false
 
+  internal_default_token:
+    description: "INPUT: Default GitHub token. (Internal purpose only, not intended for developers to set. Used for pull requests configured with a PAT)."
+    required: false
+    default: ${{ github.token }}
+
 branding:
   icon: "mic"
   color: "white"

entrypoint.sh

@@ -22,6 +22,14 @@ set -euo pipefail
 # GITHUB_EVENT_NAME contains the event name.
 # GITHUB_ACTIONS is true in GitHub env.
 
+if [[ -z "$INPUT_REPO_TOKEN" ]]; then
+    INPUT_REPO_TOKEN="$INPUT_INTERNAL_DEFAULT_TOKEN"
+    if [[ -z "$INPUT_REPO_TOKEN" ]]; then
+        exit 2
+    fi
+    echo "The repo_token was empty so GITHUB_TOKEN is used instead"
+fi
+
 export GITHUB_AUTH_TOKEN="$INPUT_REPO_TOKEN"
 export ENABLE_SARIF=1
 export ENABLE_LICENSE=1

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/sigstore/cosign v1.9.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.5.0
+	golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2
 	sigs.k8s.io/release-sdk v0.8.0
 	sigs.k8s.io/release-utils v0.6.1-0.20220405215325-d4a2a2f0e8fd
 )
@@ -241,7 +242,6 @@ require (
 	gocloud.dev v0.25.0 // indirect
 	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
 	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect
 	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect

options/env.go

@@ -38,10 +38,11 @@ const (
 
 	// TODO(input): INPUT_ constants should be removed in a future release once
 	//              they have replacements in upstream scorecard.
-	EnvInputRepoToken      = "INPUT_REPO_TOKEN" //nolint:gosec
-	EnvInputResultsFile    = "INPUT_RESULTS_FILE"
-	EnvInputResultsFormat  = "INPUT_RESULTS_FORMAT"
-	EnvInputPublishResults = "INPUT_PUBLISH_RESULTS"
+	EnvInputRepoToken         = "INPUT_REPO_TOKEN"             //nolint:gosec
+	EnvInputInternalRepoToken = "INPUT_INTERNAL_DEFAULT_TOKEN" //nolint:gosec
+	EnvInputResultsFile       = "INPUT_RESULTS_FILE"
+	EnvInputResultsFormat     = "INPUT_RESULTS_FORMAT"
+	EnvInputPublishResults    = "INPUT_PUBLISH_RESULTS"
 )
 
 // Errors

options/options.go

@@ -105,8 +105,9 @@ func New() (*Options, error) {
 
 // Validate validates the scorecard configuration.
 func (o *Options) Validate() error {
+	fmt.Println("EnvGithubAuthToken:", EnvGithubAuthToken, os.Getenv(EnvGithubAuthToken))
 	if os.Getenv(EnvGithubAuthToken) == "" {
-		fmt.Printf("The 'repo_token' variable is empty.\n")
+		fmt.Printf("%s variable is empty.\n", EnvGithubAuthToken)
 		if o.IsForkStr == trueStr {
 			fmt.Printf("We have detected you are running on a fork.\n")
 		}
@@ -151,6 +152,14 @@ func (o *Options) Print() {
 
 func (o *Options) setScorecardOpts() {
 	o.ScorecardOpts = scopts.New()
+	// Set GITHUB_AUTH_TOKEN
+	inputToken := os.Getenv(EnvInputRepoToken)
+	if inputToken == "" {
+		fmt.Printf("The 'repo_token' variable is empty.\n")
+		fmt.Printf("Using the '%s' variable instead.\n", EnvInputInternalRepoToken)
+		inputToken := os.Getenv(EnvInputInternalRepoToken)
+		os.Setenv(EnvGithubAuthToken, inputToken)
+	}
 
 	// --repo= | --local
 	// This section restores functionality that was removed in

options/options_test.go

@@ -222,8 +222,12 @@ func TestNew(t *testing.T) {
 			os.Setenv(EnvGithubAuthToken, testToken)
 			defer os.Unsetenv(EnvGithubAuthToken)
 
+			os.Setenv(EnvInputRepoToken, "token-value-123456")
+			defer os.Unsetenv(EnvInputRepoToken)
+
 			if tt.unsetToken {
 				os.Unsetenv(EnvGithubAuthToken)
+				os.Unsetenv(EnvInputRepoToken)
 			}
 
 			os.Setenv(EnvGithubEventPath, tt.githubEventPath)