BUG: Pinned-Dependencies fails for jobs with complex matrix-defined OS

[pnacht]

Describe the bug
Jobs with matrix-defined OS can cause an internal error in Pinned-Dependencies.

Reproduction steps
Steps to reproduce the behavior:

1. scorecard --repo apache/beam --checks Pinned-Dependencies --show-details --format json

Error: check runtime error: Pinned-Dependencies: internal error: internal error: unable to determine OS for job: Build python wheels on ${{matrix.arch}} for ${{ matrix.os_python.os }}

...
  "checks": [
    {
      "details": null,
      "score": -1,
      "reason": "internal error: internal error: unable to determine OS for job: Build python wheels on ${{matrix.arch}} for ${{ matrix.os_python.os }}",
      "name": "Pinned-Dependencies",
      ...
    }
  ],
...

The relevant job is here and is defined below. Note that the OS isn't simply a value of the matrix, but a component of a JSON object defined by the matrix:

  build_wheels:
    name: Build python wheels on ${{matrix.arch}} for ${{ matrix.os_python.os }}
    needs:
      - check_env_variables
      - build_source
    env:
      CIBW_ARCHS_LINUX: ${{matrix.arch}}
    runs-on: ${{ matrix.os_python.os }}
    strategy:
      matrix:
        os_python: [
          {"os": "ubuntu-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-full }}" },
          {"os": "macos-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-test }}" },
          {"os": "windows-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-test }}" },
        ]
        arch: [auto]
        include:
          - os_python: {"os": "ubuntu-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-test }}" }
            arch: aarch64
    # ...

Expected behavior
The case should be handled normally (why does Scorecard need to determine the OS?).

If this edge case is too complex to be worth the effort, Scorecard should then ignore failed jobs (with a warning in the details) but run the rest of the Pinned-Dependencies check normally.

[abs007]

GetOSesForJob() checks the OS'es a particular job's steps runs on. If it's all windows, then the pwsh shell doesnt get matched here.

For taking care of the edge case (which seems to be an issue in parsing the workflow yaml), the err message: unable to determine OS for job can be checked over here and then continue if its this error.

Of course, the better soln would be to improve yaml parsing inside the GetOSesForJob() func.

[diogoteles08]

Same issue is happening when running Scorecard for github.com/AcademySoftwareFoundation/openexr. For this project, the bug is happening because of this job.

This was discussed in AcademySoftwareFoundation/openexr#1535 , cc @cary-ilm

[diogoteles08]

Also, this issue is related to #3316