Fix default branch verification (#778)

ppkarwasz · web-flow · commit 4fd77533bca1 · 2025-04-16T16:07:46.000-06:00
* Fix default branch verification In case the Scorecard action is used in a reusable GitHub workflow, the repository of the workflow can be different from the repository of the project being analyzed. Currently, the server checks that the branch for which the Scorecard is computed is the default branch of the repository containing the **reusable** workflow. This PR modifies the verification procedure to use the repository of the **calling** workflow instead. Closes #554 Signed-off-by: Piotr P. Karwasz <piotr@github.copernik.eu> * Fix linter error Signed-off-by: Piotr P. Karwasz <piotr@github.copernik.eu> --------- Signed-off-by: Piotr P. Karwasz <piotr@github.copernik.eu>
diff --git a/app/server/post_results.go b/app/server/post_results.go
@@ -177,18 +177,21 @@ func splitFullPath(path string) (org, repo, subPath string, ok bool) {
 	return parts[0], parts[1], parts[2], true
 }
 
+// splitRepoName extracts the org, repo from a full repository name.
+func splitRepoName(path string) (org, repo string, ok bool) {
+	parts := strings.SplitN(path, "/", 2)
+	if len(parts) < 2 {
+		return "", "", false
+	}
+	return parts[0], parts[1], true
+}
+
 // getAndVerifyWorkflowContent retrieves the workflow content from the repository and verifies it.
 // It verifies the branch is a default branch and gets the scorecard workflow from the repository
 // from the specific commit and verifies it to ensure that it hasn't been tampered with.
 func getAndVerifyWorkflowContent(ctx context.Context,
 	scorecardResult *models.VerifiedScorecardResult, info certInfo,
 ) error {
-	org, repo, path, ok := splitFullPath(info.workflowPath)
-	if !ok {
-		return fmt.Errorf("cert workflow path is malformed")
-	}
-	workflowRepoFullName := fullName(org, repo)
-
 	// Get the corresponding GitHub repository.
 	httpClient := http.DefaultClient
 	if scorecardResult.AccessToken != "" {
@@ -197,6 +200,11 @@ func getAndVerifyWorkflowContent(ctx context.Context,
 		}
 	}
 	client := github.NewClient(httpClient)
+	// Organization and repo of the project being analyzed
+	org, repo, ok := splitRepoName(info.repoFullName)
+	if !ok {
+		return fmt.Errorf("cert repository name is malformed")
+	}
 	repoClient, _, err := client.Repositories.Get(ctx, org, repo)
 	if err != nil {
 		return fmt.Errorf("error getting repository: %w", err)
@@ -209,14 +217,21 @@ func getAndVerifyWorkflowContent(ctx context.Context,
 		return verificationError{e: errNotDefaultBranch}
 	}
 
+	// Organization and repo of the (possibly) reusable workflow
+	workflowOrg, workflowRepo, path, ok := splitFullPath(info.workflowPath)
+	if !ok {
+		return fmt.Errorf("cert workflow path is malformed")
+	}
+	workflowRepoFullName := fullName(workflowOrg, workflowRepo)
+
 	// Use the cert commit SHA if the workflow file is in the repo being analyzed.
 	// Otherwise fall back to the workflowRef, which may be a commit SHA, or it may be more vague e.g. refs/heads/main
 	opts := &github.RepositoryContentGetOptions{Ref: info.repoSHA}
 	if workflowRepoFullName != info.repoFullName {
 		opts.Ref = info.workflowRef
 	}
 
-	contents, _, _, err := client.Repositories.GetContents(ctx, org, repo, path, opts)
+	contents, _, _, err := client.Repositories.GetContents(ctx, workflowOrg, workflowRepo, path, opts)
 	if err != nil {
 		return fmt.Errorf("error downloading workflow contents from repo: %w", err)
 	}
diff --git a/app/server/post_results_test.go b/app/server/post_results_test.go
@@ -219,6 +219,47 @@ func FuzzExtractCertInfo(f *testing.F) {
 	})
 }
 
+func Test_splitRepoName(t *testing.T) {
+	t.Parallel()
+	type results struct {
+		org, repo string
+		ok        bool
+	}
+	tests := []struct {
+		name string
+		path string
+		want results
+	}{
+		{
+			name: "valid path",
+			path: "org/repo",
+			want: results{
+				org:  "org",
+				repo: "repo",
+				ok:   true,
+			},
+		},
+		{
+			name: "malformed path",
+			path: "malformed",
+			want: results{
+				org:  "",
+				repo: "",
+				ok:   false,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			o, r, ok := splitRepoName(tt.path)
+			assert.Equal(t, tt.want.ok, ok)
+			assert.Equal(t, tt.want.org, o)
+			assert.Equal(t, tt.want.repo, r)
+		})
+	}
+}
+
 func Test_splitFullPath(t *testing.T) {
 	t.Parallel()
 	type results struct {
