Open jasonkarns opened 1 month ago
Hi @jasonkarns I tried to repro this issue but I get a different URL which works fine. You can see the url in the build log here: https://github.com/varunsh-coder/scorecard-action-1386/actions/runs/9454632039/job/26042617909#step:4:700
Can you please share link to a scorecard-action workflow run where you got this url?
The run is behind github's code scanning, which isn't part of the public Actions runs. It's under the private Security tab: https://github.com/nodenv/node-build/security/code-scanning/15
The link url is: https://app.stepsecurity.io/secureworkflow/github.com/nodenv/node-build/version.yml/main?enable=permissions
it seems an extra github.com is being inserted here, and must have been between v2.3.1 and v2.3.3 (which corresponds to v4.13.1 and v5.0.0-rc2 of scorecard), causing the link to 404.
I was looking at this briefly to see if it was something we could address before the next release this week, and I'm actually unable to replicate.
Copy/pasted from my security tab in a test repo:
.github/workflows/ref.yml:1 name: test ref score is 0: no topLevel permission defined Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
The description of this alert:
contains a link. The link generated is: https://app.stepsecurity.io/secureworkflow but the url is wrong and gets a 404.