OSS-Fuzz client download attempt even though the disabled in policy #2725
Comments
|
As of #2719 this behavior should no longer occur, although it hasn't made its way to a release yet. The
there's no support for this currently, but it would be an easy fix. However sounds like you just want to prevent the download which should be fixed already. Feel free to re-open. |
|
@spencerschrock should we cut a release? Its been a while anyways. |
|
Thanks! Eagerly awaiting that release 👍. |
|
The new release (https://github.com/ossf/scorecard/releases/tag/v4.10.4) works! Closing this issue. |
Is your feature request related to a problem? Please describe.
Hi folks, I am trying to get the scorecard to run on a self-hosted runner and I keep running into the error for the OSS Fuzz client:
Error: GetClients: getting OSS-Fuzz repo client: error during InitRepo: repo unreachable: GET https://api.github.com/repos/google/oss-fuzz: 401 Bad credentials []This has 2 causes:
In my opinion, these are valid reasons to only download the OSS-Fuzz client if it is enabled in the policy (I have it disabled), or else I should be able to give it an alternative token to use for downloading the client.
Describe the solution you'd like
Do not attempt to download the OSS Fuzz client if the policy is disabled. That setting should be used in the GetClients call here.
Describe alternatives you've considered
Having a different token for downloading the clients, or perhaps even download the clients from a different url (I can host it on our GHES server itself for example.
Additional context
Needed for any user running on GHES with locked down private runners.
Linked to this issue that tried to solve this (and succeeded for their intent):
Remove download of unnecessary tarball
#1697
The text was updated successfully, but these errors were encountered: