-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Pull request support for GitHub action #1222
Conversation
7ea466a
to
139b1fd
Compare
actions/Dockerfile
Outdated
@@ -12,9 +12,8 @@ | |||
# See the License for the specific language governing permissions and | |||
# limitations under the License. | |||
|
|||
# Testing: docker run -e INPUT_SARIF_FILE=results.sarif -e GITHUB_WORKSPACE=/ -e INPUT_POLICY_FILE="/policy.yml" -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN -e GITHUB_REPOSITORY="ossf/scorecard" laurentsimon/scorecard-action:latest | |||
# Testing: docker run -e GITHUB_EVENT_NAME=pull_request -e INPUT_SARIF_FILE=results.sarif -e GITHUB_WORKSPACE=/ -e INPUT_POLICY_FILE="/policy.yml" -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN -e GITHUB_REPOSITORY="ossf/scorecard" laurentsimon/scorecard-action:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not part of this PR. But could we also please change the base image. This reduces the attack vector.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Distroless images don't support shell. So to use distroless, we need to remove the shell script and create another golang project to call as a binary. Doable, but needs some work.
We also have this tracking issue #1072
1194c68
to
de8b0b0
Compare
This adds support for pull request in the GH action.
No breaking changes.
The changes required updating how we generate our SARIF results.
This github/codeql-action#811 is an improvement that would be nice, but non-blocking.