Open lelia opened 7 months ago
Haven't dug into it too much, but I think the fix from #295 didn't take advantage of new fulcio fields. I think this could be resolved based on the fields we check. https://github.com/ossf/scorecard-webapp/blob/f1b48c0346aaaaf8edb18c77797e5c71daa87ce3/app/server/post_results.go#L508-L528
Currently we grab (quotes from this doc):
Whereas there are some newer fields that will hopefully give us the details we need to distinguish between the default branch of the calling repo, and not care about the branch of the re-usable workflow repo.
I seem to remember these fields distinguish between the source (repo which calls the re-usable workflow) and the build signer (repo the reusable workflow is in). But someone would need to double check I didn't flip those definitions:
Problem Description
Although reusable workflows are now supported, when using the Scorecard Action I hit an edge case at the branch verification stage when the repository hosting the reusable workflow file has a different default branch (in our case,
develop
) than the repository calling the workflow (main
).Example showing workflow verification failure on the calling workflow: https://github.com/cisco-ospo/sample-project/actions/runs/7719025635/job/21041490540#step:4:1294
To test this, I temporarily swapped the default branch from
develop
tomain
on the reusable workflow host repository, then successfully reran the above workflow: https://github.com/cisco-ospo/sample-project/actions/runs/7719144312/job/21041843243#step:4:1293Steps to Reproduce
dev
ordevelop
main
publish_results
set totrue
Let me know if any other details would be of use!