🐛 Fix GitHub workflows failing

.github/workflows/main.yml

@@ -33,6 +33,8 @@ jobs:
        uses: actions/setup-go@331ce1d993939866bb63c32c6cbbfd48fa76fc57 # v2.1.3
        with:
          go-version: '^1.17'
+     - name: Install tools
+       run: make install
      - name: Run presubmit tests
        run: |
             go env -w GOFLAGS=-mod=mod
@@ -50,6 +52,7 @@ jobs:
       - name: Check license headers
         run: |
           go env -w GOFLAGS=-mod=mod
+          make install
           make all
           set -e
           addlicense -ignore "**/script-empty.sh" -ignore "pkg/testdata/*" -ignore "checks/testdata/*" -l apache -c 'Security Scorecard Authors' -v *

Makefile

@@ -165,7 +165,7 @@ dockerbuild: ## Runs docker build
 	DOCKER_BUILDKIT=1 docker build . --file Dockerfile --tag $(IMAGE_NAME)
 	KO_DATA_DATE_EPOCH=$(SOURCE_DATE_EPOCH) KO_DOCKER_REPO=${KO_PREFIX}/scorecard-ko CGO_ENABLED=0 LDFLAGS="$(LDFLAGS)" \
 	ko publish -B --bare --local \
-			   --platform=all \
+			   --platform=linux/amd64,linux/arm64,linux/386,linux/arm,darwin/amd64,darwin/arm64,windows/amd64,windows/386,windows/arm64,windows/arm \
 			   --push=false \
 			   --tags latest,$(GIT_VERSION),$(GIT_HASH) github.com/ossf/scorecard/v3
 	DOCKER_BUILDKIT=1 docker build . --file cron/controller/Dockerfile --tag $(IMAGE_NAME)-batch-controller

checks/pinned_dependencies.go

@@ -588,6 +588,7 @@ func getOSesForJob(job *gitHubActionWorkflowJob) ([]string, error) {
 		return job.RunsOn, nil
 	}
 	jobOSes := make([]string, 0)
+	// nolint: nestif
 	if m, ok := job.Strategy.Matrix.(map[string]interface{}); ok {
 		if osVal, ok := m["os"]; ok {
 			if oses, ok := osVal.([]interface{}); ok {

checks/pinned_dependencies_test.go

@@ -15,7 +15,6 @@
 package checks
 
 import (
-	"fmt"
 	"io/ioutil"
 	"strings"
 	"testing"
@@ -111,7 +110,7 @@ func TestGithubWorkflowPinning(t *testing.T) {
 
 			content, err = ioutil.ReadFile(tt.filename)
 			if err != nil {
-				panic(fmt.Errorf("cannot read file: %w", err))
+				t.Errorf("cannot read file: %v", err)
 			}
 
 			dl := scut.TestDetailLogger{}
@@ -202,7 +201,7 @@ func TestNonGithubWorkflowPinning(t *testing.T) {
 			} else {
 				content, err = ioutil.ReadFile(tt.filename)
 				if err != nil {
-					panic(fmt.Errorf("cannot read file: %w", err))
+					t.Errorf("cannot read file: %v", err)
 				}
 			}
 			dl := scut.TestDetailLogger{}
@@ -247,7 +246,7 @@ func TestGithubWorkflowPkgManagerPinning(t *testing.T) {
 
 			content, err = ioutil.ReadFile(tt.filename)
 			if err != nil {
-				panic(fmt.Errorf("cannot read file: %w", err))
+				t.Errorf("cannot read file: %v", err)
 			}
 
 			dl := scut.TestDetailLogger{}
@@ -371,7 +370,7 @@ func TestDockerfilePinning(t *testing.T) {
 			} else {
 				content, err = ioutil.ReadFile(tt.filename)
 				if err != nil {
-					panic(fmt.Errorf("cannot read file: %w", err))
+					t.Errorf("cannot read file: %v", err)
 				}
 			}
 			dl := scut.TestDetailLogger{}
@@ -415,7 +414,7 @@ func TestDockerfilePinningWihoutHash(t *testing.T) {
 
 			content, err = ioutil.ReadFile(tt.filename)
 			if err != nil {
-				panic(fmt.Errorf("cannot read file: %w", err))
+				t.Errorf("cannot read file: %v", err)
 			}
 			dl := scut.TestDetailLogger{}
 			s, e := testValidateDockerfileIsPinned(tt.filename, content, &dl)
@@ -600,7 +599,7 @@ func TestDockerfileScriptDownload(t *testing.T) {
 			} else {
 				content, err = ioutil.ReadFile(tt.filename)
 				if err != nil {
-					panic(fmt.Errorf("cannot read file: %w", err))
+					t.Errorf("cannot read file: %v", err)
 				}
 			}
 			dl := scut.TestDetailLogger{}
@@ -644,7 +643,7 @@ func TestDockerfileScriptDownloadInfo(t *testing.T) {
 
 			content, err = ioutil.ReadFile(tt.filename)
 			if err != nil {
-				panic(fmt.Errorf("cannot read file: %w", err))
+				t.Errorf("cannot read file: %v", err)
 			}
 			dl := scut.TestDetailLogger{}
 			s, e := testValidateDockerfileIsFreeOfInsecureDownloads(tt.filename, content, &dl)
@@ -753,7 +752,7 @@ func TestShellScriptDownload(t *testing.T) {
 			} else {
 				content, err = ioutil.ReadFile(tt.filename)
 				if err != nil {
-					panic(fmt.Errorf("cannot read file: %w", err))
+					t.Errorf("cannot read file: %v", err)
 				}
 			}
 			dl := scut.TestDetailLogger{}
@@ -808,7 +807,7 @@ func TestShellScriptDownloadPinned(t *testing.T) {
 
 			content, err = ioutil.ReadFile(tt.filename)
 			if err != nil {
-				panic(fmt.Errorf("cannot read file: %w", err))
+				t.Errorf("cannot read file: %v", err)
 			}
 
 			dl := scut.TestDetailLogger{}
@@ -885,7 +884,7 @@ func TestGitHubWorflowRunDownload(t *testing.T) {
 			} else {
 				content, err = ioutil.ReadFile(tt.filename)
 				if err != nil {
-					panic(fmt.Errorf("cannot read file: %w", err))
+					t.Errorf("cannot read file: %v", err)
 				}
 			}
 			dl := scut.TestDetailLogger{}
@@ -948,13 +947,13 @@ func TestGitHubWorkflowUsesLineNumber(t *testing.T) {
 			t.Parallel()
 			content, err := ioutil.ReadFile(tt.filename)
 			if err != nil {
-				t.Errorf("cannot read file: %w", err)
+				t.Errorf("cannot read file: %v", err)
 			}
 			dl := scut.TestDetailLogger{}
 			var pinned worklowPinningResult
 			_, err = validateGitHubActionWorkflow(tt.filename, content, &dl, &pinned)
 			if err != nil {
-				t.Errorf("error during validateGitHubActionWorkflow: %w", err)
+				t.Errorf("error during validateGitHubActionWorkflow: %v", err)
 			}
 			for _, expectedLog := range tt.expected {
 				isExpectedLog := func(logMessage checker.LogMessage, logType checker.DetailType) bool {
@@ -1059,12 +1058,12 @@ func TestGitHubWorkflowShell(t *testing.T) {
 			t.Parallel()
 			content, err := ioutil.ReadFile(tt.filename)
 			if err != nil {
-				t.Errorf("cannot read file: %w", err)
+				t.Errorf("cannot read file: %v", err)
 			}
 			var workflow gitHubActionWorkflowConfig
 			err = yaml.Unmarshal(content, &workflow)
 			if err != nil {
-				t.Errorf("cannot unmarshal file: %w", err)
+				t.Errorf("cannot unmarshal file: %v", err)
 			}
 			actualShells := make([]string, 0)
 			for _, job := range workflow.Jobs {
@@ -1073,7 +1072,7 @@ func TestGitHubWorkflowShell(t *testing.T) {
 					step := step
 					shell, err := getShellForStep(&step, &job)
 					if err != nil {
-						t.Errorf("error getting shell: %w", err)
+						t.Errorf("error getting shell: %v", err)
 					}
 					actualShells = append(actualShells, shell)
 				}

checks/shell_download_validate_test.go

@@ -77,7 +77,7 @@ func TestIsSupportedShellScriptFile(t *testing.T) {
 			var err error
 			content, err = ioutil.ReadFile(tt.filename)
 			if err != nil {
-				t.Errorf("cannot read file: %w", err)
+				t.Errorf("cannot read file: %v", err)
 			}
 			result := isSupportedShellScriptFile(tt.filename, content)
 			if result != tt.expected {

cron/data/blob_test.go

@@ -45,7 +45,7 @@ func TestGetBlobFilename(t *testing.T) {
 			t.Parallel()
 			datetime, err := time.Parse(inputTimeFormat, testcase.inputTime)
 			if err != nil {
-				t.Errorf("failed to parse testcase.inputTime %s: %w", testcase.inputTime, err)
+				t.Errorf("failed to parse testcase.inputTime %s: %v", testcase.inputTime, err)
 			}
 			gotFilename := GetBlobFilename(testcase.inputFilename, datetime)
 			if gotFilename != testcase.expectedFilename {

pkg/scorecard.go

@@ -91,7 +91,6 @@ func getRepoCommitHash(r clients.RepoClient, uri *repos.RepoURI) (string, error)
 	switch uri.RepoType() {
 	// URL.
 	case repos.RepoTypeURL:
-		//nolint:unwrapped
 		commits, err := r.ListCommits()
 		if err != nil {
 			return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("ListCommits:%v", err.Error()))