Error uploading score data with v2.0.*

[rajbos]

I was adding this action to my repo and all uploads with v2 keep on failing.

tlog entry created with index: 8678709
MEYCIQDqgM0We/hZyDOs/8z4xgKLBWtTkgnI52BLyTu89tIHdAIhALVwPK6T6oArxGNlLsLRIjdRwih2o9mhZWQRpxwzTR/M
2022/12/08 19:33:00 error processing signature: http response 500, status: 500 Internal Server Error, error: {"code":500,"message":"something went wrong and we are looking into it."}

There for no score is available at all:

Log to the workflow run: link.

[rajbos]

Seems like this is caused by me following best practices and forking the action to my own org. This is not mentioned in the readme! Using the official action makes it work.

The readme only mentions this restriction for the actions that are used (which I do use from their source):

scorecard-action:v2 has a new requirement for the job running the ossf/scorecard-action step. The step running this job must belong to this approved list of GitHub actions:

"actions/checkout"
"actions/upload-artifact"
"github/codeql-action/upload-sarif"

So if the requirement also is ossf/scorecard-action needs to be the official one, then I suggest adding that to the readme as well (I'm happy to create the PR if this is the case).

Additionally, if that is the case then I do would like to discuss the handling of this, since indeed this is overly permissive, not following best practices (forking), and not useable in an Enterprise Server environment (self-hosting the API). If so, I'll follow up in a different issue.

[naveensrinivasan]

So if the requirement also is ossf/scorecard-action needs to be the official one, then I suggest adding that to the readme as well (I'm happy to create the PR if this is the case).

Yes, that would be helpful. Thanks

Additionally, if that is the case then I do would like to discuss the handling of this, since indeed this is overly permissive, not following best practices (forking), and not useable in an Enterprise Server environment (self-hosting the API). If so, I'll follow up in a different issue.

Only if you want to publish the results to scorecard API, If the flag is turned off then it shouldn't be an issue.

scorecard-action/starter-workflows/code-scanning/scorecards.yml

Line 57 in f27f8fe

publish_results: true

We need to ensure that the results haven't tampered and that is the reason for not allowing forks.
Validation code https://github.com/ossf/scorecard-webapp/blob/c76ac3d895706d6e40e5973e7d09c6946da770bf/app/server/post_results.go#L170

[laurentsimon]

@rajbos is this the workflow that failed https://github.com/devops-actions/load-runner-info/blob/main/.github/workflows/ossf-analysis.yml?

It seems to be using only the Actions listed above. Is your integration in another workflow?

[rajbos]

Yes it is

@rajbos is this the workflow that failed https://github.com/devops-actions/load-runner-info/blob/main/.github/workflows/ossf-analysis.yml?

It seems to be using only the Actions listed above. Is your integration in another workflow?

Yes it is, but I have reverted back to the official actions. The link to the workflow execution mentioned above leads to a different version of the workflow file, that loaded the action from my fork organization" rajbos-actions/[email protected] (as is considered best practice). So that is why this did not work.

Linked a new PR to make this explicit in the README.