Fix repositoryUrl issues around GitHub Actions

This commit is contained in:
Justin Hutchings
2024-03-22 21:00:38 +00:00
parent 02b13f6b52
commit d9209374af
2 changed files with 31 additions and 2 deletions

View File

@@ -22,6 +22,19 @@ const npmChange: Change = {
]
}
const actionsChange: Change = {
manifest: 'workflow.yml',
change_type: 'added',
ecosystem: 'actions',
name: 'actions/checkout',
version: 'v3',
package_url: 'pkg:githubactions/actions@v3',
license: 'MIT',
source_repository_url: 'null',
scope: 'runtime',
vulnerabilities: []
}
test('Get scorecard from API', async () => {
const changes: Changes = [npmChange]
const scorecard = await getScorecardLevels(changes)
@@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => {
)
expect(result).not.toBeNull()
})
test('Handles Actions special case', async () => {
const changes: Changes = [actionsChange]
const result = await getScorecardLevels(changes)
expect(result).not.toBeNull()
expect(result.dependencies).toHaveLength(1)
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
})

View File

@@ -17,8 +17,16 @@ export async function getScorecardLevels(
repositoryUrl = repositoryUrl.replace('https://', '')
}
// Handle the special case for GitHub Actions, where the repository URL is null
if (ecosystem === 'actions') {
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
const parts = packageName.split('/')
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
}
// If GitHub API doesn't have the repository URL, query deps.dev for it.
if (repositoryUrl) {
if (!repositoryUrl) {
// Call the deps.dev API to get the repository URL from there
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
}
@@ -70,4 +78,4 @@ export async function getProjectUrl(
}
}
return ''
}
}