Fix repositoryUrl issues around GitHub Actions

jhutchings1 · jhutchings1 · commit d9209374afff · 2024-03-22T21:00:38.000Z
diff --git a/__tests__/scorecard.test.ts b/__tests__/scorecard.test.ts
@@ -22,6 +22,19 @@ const npmChange: Change = {
   ]
 }
 
+const actionsChange: Change = {
+  manifest: 'workflow.yml',
+  change_type: 'added',
+  ecosystem: 'actions',
+  name: 'actions/checkout',
+  version: 'v3',
+  package_url: 'pkg:githubactions/actions@v3',
+  license: 'MIT',
+  source_repository_url: 'null',
+  scope: 'runtime',
+  vulnerabilities: []
+}
+
 test('Get scorecard from API', async () => {
   const changes: Changes = [npmChange]
   const scorecard = await getScorecardLevels(changes)
@@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => {
   )
   expect(result).not.toBeNull()
 })
+
+test('Handles Actions special case', async () => {
+  const changes: Changes = [actionsChange]
+  const result = await getScorecardLevels(changes)
+  expect(result).not.toBeNull()
+  expect(result.dependencies).toHaveLength(1)
+  expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
+})
diff --git a/src/scorecard.ts b/src/scorecard.ts
@@ -17,8 +17,16 @@ export async function getScorecardLevels(
       repositoryUrl = repositoryUrl.replace('https://', '')
     }
 
+    // Handle the special case for GitHub Actions, where the repository URL is null
+    if (ecosystem === 'actions') {
+      // The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
+      // If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
+      const parts = packageName.split('/')
+      repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
+    }
+
     // If GitHub API doesn't have the repository URL, query deps.dev for it.
-    if (repositoryUrl) {
+    if (!repositoryUrl) {
       // Call the deps.dev API to get the repository URL from there
       repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
     }
@@ -70,4 +78,4 @@ export async function getProjectUrl(
     }
   }
   return ''
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -17,8 +17,16 @@ export async function getScorecardLevels(`
`17`	`17`	`repositoryUrl = repositoryUrl.replace('https://', '')`
`18`	`18`	`}`
`19`	`19`
	`20`	`+ // Handle the special case for GitHub Actions, where the repository URL is null`
	`21`	`+ if (ecosystem === 'actions') {`
	`22`	+ // The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
	`23`	`+ // If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out`
	`24`	`+ const parts = packageName.split('/')`
	`25`	+ repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
	`26`	`+ }`
	`27`	`+`
`20`	`28`	`// If GitHub API doesn't have the repository URL, query deps.dev for it.`
`21`		`- if (repositoryUrl) {`
	`29`	`+ if (!repositoryUrl) {`
`22`	`30`	`// Call the deps.dev API to get the repository URL from there`
`23`	`31`	`repositoryUrl = await getProjectUrl(ecosystem, packageName, version)`
`24`	`32`	`}`
`@@ -70,4 +78,4 @@ export async function getProjectUrl(`
`70`	`78`	`}`
`71`	`79`	`}`
`72`	`80`	`return ''`
`73`		`-}`
	`81`	`+}`