Using this action getting error

[marswed]

name: Scorecards supply-chain security
on:

Only the default branch is supported.

branch_protection_rule:
schedule:
# Weekly on Saturdays.
- cron: '30 1 * * 6'

push:
branches: [ master ]

Declare default permissions as read only.

permissions: read-all

jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read

steps:
  - name: "Checkout code"
    #uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
    uses: actions/[email protected]
    
    with:
      persist-credentials: false

  - name: "Run analysis"
    #uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
    uses: ossf/[email protected]
    
    with:
      results_file: results.sarif
      results_format: sarif
      # Read-only PAT token. To create it,
      # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
      #repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
      repo_token: ${{ secrets.SCORECARD2_READ_TOKEN || github.token }}
      
      # Publish the results to enable scorecard badges. For more details, see
      # https://github.com/ossf/scorecard-action#publishing-results.
      # For private repositories, `publish_results` will automatically be set to `false`,
      # regardless of the value entered here.
      publish_results: true

  # Upload the results as artifacts (optional).
  - name: "Upload artifact"
    #uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
    uses: actions/[email protected]
    with:
      name: SARIF file
      path: results.sarif
      retention-days: 5

  # Upload the results to GitHub's code scanning dashboard.
  - name: "Upload to code-scanning"
    #uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
    uses: github/codeql-action/[email protected]
    with:
      sarif_file: results.sarif

[laurentsimon]

Thanks for the report. We've seen this error before and thought it was fixed. Could you:

1. Re-run the workflow to see if it happens again (on a push)?
2. Use laurentsimon/scorecard-action@bug/nullpush and run it again on a push? This is part of this ✨ Add more info to logs #155 that adds more info to the logs to help us understand why it's happening.

Thanks for your patience!

[marswed]

Hello @laurentsimon
We whitelist the action laurentsimon/scorecard-action@bug/nullpush, now we are getting 404 error , could be that we are using GitHub Enterprise EMU?

[laurentsimon]

some questions to help me try to reproduce the problem:

1. Does this error occur for every run or intermittently?
2. What permissions does your PAT have?
3. Which trigger does this problem occur with? pull_request, push, etc?

[marswed]

@laurentsimon
1.-This error occurs every run.
2.- repo >blank
admin:org > read:org
admin:repo_hook > read:repo_hook
write:discussion > read:discussion

3.- all

Note: our GitHub Enterprise Cloud is with EMU (Enterprise Managed User) ** Could be this problem that not allow public?

[azeemshaikh38]

AFAIK, GitHub Enterprise repositories use a different API endpoint (see ossf/scorecard#660). If this is the case here, the failures are happening because Scorecard only queries the default API endpoint. The easiest way to confirm this is to run Scorecard CLI on your repo:

GITHUB_AUTH_TOKEN=<PAT> scorecard --repo=<URL>

It should be a simple refactoring to update the API URL we query. Let us know if this is really the issue and we can figure out how to prioritize supporting enterprise customers. As always, any PRs/contributions are very helpful and much appreciated.

[azeemshaikh38]

closing this due to inactivity. For tracking Scorecard support on Enterprise GH servers please use ossf/scorecard#660