🌱 Prepare for a pre-release of the Golang action

Dockerfile

@@ -12,25 +12,40 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# See docs/development.md for details on how to test this image.
+# Testing: docker run -e GITHUB_REF=refs/heads/main \
+#           -e GITHUB_EVENT_NAME=branch_protection_rule \
+#           -e INPUT_RESULTS_FORMAT=sarif \
+#           -e INPUT_RESULTS_FILE=results.sarif \
+#           -e GITHUB_WORKSPACE=/ \
+#           -e INPUT_POLICY_FILE="/policy.yml" \
+#           -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \
+#           -e GITHUB_REPOSITORY="ossf/scorecard" \
+#           laurentsimon/scorecard-action:latest
 
-FROM gcr.io/openssf/scorecard:v4.3.1@sha256:6224d1a27c35e7b216befba798cb782adb400047caa60fc1bea30030da392a1b as base
+#v1.17 go
+FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base
+WORKDIR /src
+ENV CGO_ENABLED=0
+COPY go.* ./
+RUN go mod download
+COPY . ./
 
-# Build our image and update the root certs.
-# TODO: use distroless.
+FROM base AS build
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 make build
+
+# TODO: use distroless:
+# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb
 FROM debian:11.3-slim@sha256:f6957458017ec31c4e325a76f39d6323c4c21b0e31572efa006baa927a160891
+
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
+    # For debugging.
     jq ca-certificates curl
-
-# Copy the scorecard binary from the official scorecard image.
-COPY --from=base /scorecard /scorecard
+COPY --from=build /src/scorecard-action /
 
 # Copy a test policy for local testing.
 COPY policies/template.yml  /policy.yml
 
-# Our entry point.
-# Note: the file is executable in the repo
-# and permission carry over to the image.
-COPY entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT [ "/scorecard-action" ]

README.md

@@ -5,6 +5,13 @@
 
 The Scorecards GitHub Action is free for all public repositories. Private repositories are supported if they have [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security). Private repositories without GitHub Advanced Security can run Scorecards from the command line by following the [standard installation instructions](https://github.com/ossf/scorecard#using-scorecards-1).
 
+
+## Breaking changes in v2
+
+Starting from scorecard-action:v2, `GITHUB_TOKEN` permissions needs to incude
+`token_id: write` for `publish_results: true`. This is needed to access GitHub's
+OIDC token whuch verifies the authenticity of the result when publishing it.
+
 ________
 [Installation](#installation) 
 - [Authentication](#authentication-with-pat)

RELEASE.md

@@ -30,37 +30,6 @@ We're not striving for perfection with the template, but the tracking issue
 will serve as a reference point to aggregate feedback, so try your best to be
 as descriptive as possible.
 
-## Preparing the release
-
-This section covers changes that need to be issued as a pull request and should
-be merged before releasing the scorecard GitHub Action.
-
-### Update the scorecard version
-
-_NOTE: As the scorecard GitHub Action is based on scorecard, you may want to publish a new release of scorecard to ensure the next release of the GitHub Action has the most up-to-date functionality. This is not strictly required. The only requirement is that we use a stable scorecard version which is at or above the current version used for this action._
-
-For the rest of document, let `CH1` be the hash of the scorecard image you
-intend to use for this release.
-
-See [here](https://github.com/orgs/ossf/packages?repo_name=scorecard) for
-scorecard images.
-
-(We'll use `0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552`
-as `CH1` in any examples below.)
-
-Now that you have `CH1`, update the digest in the [Dockerfile](Dockerfile) to use `CH1`.
-
-Example:
-
-```Dockerfile
-FROM gcr.io/openssf/scorecard:v100.0.0@sha256:0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552 as base
-```
-
-Create a pull request with this change.
-
-Once the PR is merged, note the GitHub commit hash.
-We'll refer to this as `GH2` below.
-
 ## Drafting release notes
 
 <!-- TODO(release): Provide details -->
@@ -69,15 +38,31 @@ We'll refer to this as `GH2` below.
 
 ### Create a tag
 
-Locally, create a signed tag based on `GH2`:
+Locally, create a signed tag `Tag` on commitSHA `SHA`:
 
 ```console
 git remote update
-git checkout `GH2`
+git checkout `SHA`
 git tag -s -m "v100.0.0" v100.0.0
 git push <upstream> --tags
 ```
 
+### Update the scorecard-action version
+
+Note be the hash of the scorecard-action image (say, `CH1`) that was tagged with `Tag`. We will use this for the release.
+
+Update the digest in [action.yaml](action.yaml) to use `CH1`.
+
+Example:
+
+```
+runs:
+  using: "docker"
+  image: "docker://gcr.io/openssf/scorecard-action:CH1"
+```
+
+Create a pull request with this change and merge into `main`.
+
 ### Create a GitHub release
 
 Create a

action.yaml

@@ -48,6 +48,6 @@ branding:
 
 runs:
   using: "docker"
-  image: "./Dockerfile"
+  image: "docker://gcr.io/openssf/scorecard-action:latest"
 
 

cloudbuild-tag.yaml

@@ -0,0 +1,25 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+steps:
+  - id: Get tag commit
+    name: gcr.io/cloud-builders/git
+    args: ['fetch', '--unshallow', '--tags', 'origin', '$COMMIT_SHA']
+  - name: 'gcr.io/cloud-builders/docker'
+    args: ['build', '.',
+      '-t', 'gcr.io/openssf/scorecard-action:$TAG_NAME',
+      '-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA',
+      '-f', 'Dockerfile']
+images: ['gcr.io/openssf/scorecard-action']
+timeout: '1600s'

cloudbuild.yaml

@@ -17,6 +17,6 @@ steps:
   args: ['build', '.',
     '-t', 'gcr.io/openssf/scorecard-action:latest',
     '-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA',
-    '-f', 'Dockerfile.golang']
+    '-f', 'Dockerfile']
 images: ['gcr.io/openssf/scorecard-action']
 timeout: '1600s'