Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: run scorecard only once #1071

Closed
laurentsimon opened this issue Jan 13, 2023 · 3 comments · Fixed by #1423
Closed

feat: run scorecard only once #1071

laurentsimon opened this issue Jan 13, 2023 · 3 comments · Fixed by #1423

Comments

@laurentsimon
Copy link
Contributor

The Action runs scorecard twice: once for the SARIF results, and once to upload the results to the API server. This increases rate limits and is also slower.

We need to run scorecard once only, then:

  1. filter out the results depending on trigger type (PR vs not PR), and generate the SARIF output
  2. Use all the results and generate the JSON result to upload to the API server

/cc @naveensrinivasan @azeemsgoogle
@laurentsimon laurentsimon mentioned this issue Jan 13, 2023
Closed
@agilgur5 agilgur5 mentioned this issue Feb 25, 2024
Merged
@spencerschrock
Copy link
Contributor

@justaugustus this is another problem with the current cobra-hooking entrypoint method we do today. Has Cisco run into any rate limiting that this could remediate? (@lelia may have more context?)

@spencerschrock
Copy link
Contributor

Note: I temporarily instrumented my Scorecard fork's call to ossf/scorecard-action with calls to GitHub's /rate_limit endpoint. Analyzing ossf/scorecard takes 66 core API calls, and 4 graphql calls without the publishing step.

The way we run Scorecard twice when publishing results, would therefore waste an extra 66 core and 4 graphql, or ~7% of a repo's hourly quota.

Primary rate limit for GITHUB_TOKEN in GitHub Actions
The rate limit for GITHUB_TOKEN is 1,000 requests per hour per repository. For requests to resources that belong to a GitHub Enterprise Cloud account, the limit is 15,000 requests per hour per repository.

So with the duplicate call, a repo would currently exhaust their hourly quota in 8 commits (assuming no other usage), which isn't great but also not the end of the world. (Runtime is another factor though).

@lelia
Copy link

lelia commented Aug 8, 2024

@justaugustus this is another problem with the current cobra-hooking entrypoint method we do today. Has Cisco run into any rate limiting that this could remediate? (@lelia may have more context?)

As far as I'm aware, we haven't hit this rate limit with any of our projects yet — most of the scaling challenges we faced were due to the employment of reusable workflows across multiple orgs. The duplicate call is definitely something I'll keep an eye on as we start leveraging Scorecard across more projects, though.

@spencerschrock spencerschrock mentioned this issue Aug 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use Scorecard library entrypoint instead of Cobra hooking spencerschrock/scorecard-action
3 participants
@lelia @spencerschrock @laurentsimon