Skip to content

Commit 9093495

Browse files
author
Federico Builes
authored
Merge pull request #725 from actions/issue-718
Bug fixes to #718
2 parents 02b13f6 + 35b83b4 commit 9093495

File tree

4 files changed

+41
-5
lines changed

4 files changed

+41
-5
lines changed

__tests__/scorecard.test.ts

+21
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,19 @@ const npmChange: Change = {
2222
]
2323
}
2424

25+
const actionsChange: Change = {
26+
manifest: 'workflow.yml',
27+
change_type: 'added',
28+
ecosystem: 'actions',
29+
name: 'actions/checkout/',
30+
version: 'v3',
31+
package_url: 'pkg:githubactions/actions@v3',
32+
license: 'MIT',
33+
source_repository_url: 'null',
34+
scope: 'runtime',
35+
vulnerabilities: []
36+
}
37+
2538
test('Get scorecard from API', async () => {
2639
const changes: Changes = [npmChange]
2740
const scorecard = await getScorecardLevels(changes)
@@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => {
3851
)
3952
expect(result).not.toBeNull()
4053
})
54+
55+
test('Handles Actions special case', async () => {
56+
const changes: Changes = [actionsChange]
57+
const result = await getScorecardLevels(changes)
58+
expect(result).not.toBeNull()
59+
expect(result.dependencies).toHaveLength(1)
60+
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
61+
})

dist/index.js

+9-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/index.js.map

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/scorecard.ts

+10-2
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,16 @@ export async function getScorecardLevels(
1717
repositoryUrl = repositoryUrl.replace('https://', '')
1818
}
1919

20+
// Handle the special case for GitHub Actions, where the repository URL is null
21+
if (ecosystem === 'actions') {
22+
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
23+
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
24+
const parts = packageName.split('/')
25+
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
26+
}
27+
2028
// If GitHub API doesn't have the repository URL, query deps.dev for it.
21-
if (repositoryUrl) {
29+
if (!repositoryUrl) {
2230
// Call the deps.dev API to get the repository URL from there
2331
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
2432
}
@@ -41,7 +49,7 @@ export async function getScorecardLevels(
4149
}
4250

4351
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
44-
const apiRoot = 'https://api.securityscorecards.dev/'
52+
const apiRoot = 'https://api.securityscorecards.dev'
4553
let scorecardResponse: ScorecardApi = {} as ScorecardApi
4654

4755
const url = `${apiRoot}/projects/${repositoryUrl}`

0 commit comments

Comments
 (0)