Skip to content

Commit

Permalink
Fix repositoryUrl issues around GitHub Actions
Browse files Browse the repository at this point in the history
  • Loading branch information
jhutchings1 committed Mar 22, 2024
1 parent 02b13f6 commit d920937
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 2 deletions.
21 changes: 21 additions & 0 deletions __tests__/scorecard.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,19 @@ const npmChange: Change = {
]
}

const actionsChange: Change = {
manifest: 'workflow.yml',
change_type: 'added',
ecosystem: 'actions',
name: 'actions/checkout',
version: 'v3',
package_url: 'pkg:githubactions/actions@v3',
license: 'MIT',
source_repository_url: 'null',
scope: 'runtime',
vulnerabilities: []
}

test('Get scorecard from API', async () => {
const changes: Changes = [npmChange]
const scorecard = await getScorecardLevels(changes)
Expand All @@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => {
)
expect(result).not.toBeNull()
})

test('Handles Actions special case', async () => {
const changes: Changes = [actionsChange]
const result = await getScorecardLevels(changes)
expect(result).not.toBeNull()
expect(result.dependencies).toHaveLength(1)
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
})
12 changes: 10 additions & 2 deletions src/scorecard.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,16 @@ export async function getScorecardLevels(
repositoryUrl = repositoryUrl.replace('https://', '')
}

// Handle the special case for GitHub Actions, where the repository URL is null
if (ecosystem === 'actions') {
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
const parts = packageName.split('/')
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
}

// If GitHub API doesn't have the repository URL, query deps.dev for it.
if (repositoryUrl) {
if (!repositoryUrl) {
// Call the deps.dev API to get the repository URL from there
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
}
Expand Down Expand Up @@ -70,4 +78,4 @@ export async function getProjectUrl(
}
}
return ''
}
}

0 comments on commit d920937

Please sign in to comment.