Bug: Token-Permissions alert contains broken link

[jasonkarns]

The description of this alert:

contains a link. The link generated is: https://app.stepsecurity.io/secureworkflow but the url is wrong and gets a 404.

[varunsh-coder]

Hi @jasonkarns I tried to repro this issue but I get a different URL which works fine.
You can see the url in the build log here: https://github.com/varunsh-coder/scorecard-action-1386/actions/runs/9454632039/job/26042617909#step:4:700

Can you please share link to a scorecard-action workflow run where you got this url?

[jasonkarns]

The run is behind github's code scanning, which isn't part of the public Actions runs. It's under the private Security tab: https://github.com/nodenv/node-build/security/code-scanning/15

The link url is: https://app.stepsecurity.io/secureworkflow/github.com/nodenv/node-build/version.yml/main?enable=permissions

[spencerschrock]

it seems an extra github.com is being inserted here, and must have been between v2.3.1 and v2.3.3 (which corresponds to v4.13.1 and v5.0.0-rc2 of scorecard), causing the link to 404.

[spencerschrock]

I was looking at this briefly to see if it was something we could address before the next release this week, and I'm actually unable to replicate.

Copy/pasted from my security tab in a test repo:

.github/workflows/ref.yml:1
name: test ref
score is 0: no topLevel permission defined
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.