Scorecard action fails - private repo with 0 commits

[naveensrinivasan]

The scorecard actions is failing for https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests which have 0 commits.

This is a private repo.

/usr/bin/docker run --name a95e45f949b376e24a46b610c0[8](https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486680969?check_suite_focus=true#step:4:8)418327d2d_764[9](https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486680969?check_suite_focus=true#step:4:9)fd --label 29a95e --workdir /github/workspace --rm -e INPUT_RESULTS_FILE -e INPUT_RESULTS_FORMAT -e INPUT_REPO_TOKEN -e INPUT_PUBLISH_RESULTS -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_REF_NAME -e GITHUB_REF_PROTECTED -e GITHUB_REF_TYPE -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e GITHUB_STEP_SUMMARY -e RUNNER_OS -e RUNNER_ARCH -e RUNNER_NAME -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/ossf-scorecard-action-private-repo-tests/ossf-scorecard-action-private-repo-tests":"/github/workspace" 29a95e:45f949b376e24a46b6[10](https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486680969?check_suite_focus=true#step:4:10)c08418327d2d
Event file: /github/workflow/event.json
Event name: push
Ref: refs/heads/main
Repository: ossf-tests/ossf-scorecard-action-private-repo-tests
Fork repository: false
Private repository: true
Publication enabled: false
Format: sarif
Policy file: /policy.yml
Default branch: refs/heads/main
2022/03/09 20:42:28 unable to get tarball tarball not found: https://api.github.com/repos/ossf-tests/ossf-scorecard-action-private-repo-tests/tarball/. Skipping...
2022/03/09 20:42:28 internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
panic: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

goroutine 1 [running]:
log.Panic(0xc0006c1aa8, 0x1, 0x1)
	log/log.go:354 +0xae
github.com/ossf/scorecard/v4/cmd.scorecardCmd(0x176e760, 0xc000402060, 0x0, 0x6)
	github.com/ossf/scorecard/v4/cmd/root.go:168 +0x7bf
github.com/spf[13](https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486680969?check_suite_focus=true#step:4:13)/cobra.(*Command).execute(0x[17](https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486680969?check_suite_focus=true#step:4:17)6e760, 0xc0000ca010, 0x6, 0x6, 0x176e760, 0xc0000ca010)
	github.com/spf13/[email protected]/command.go:860 +0x2c2
github.com/spf13/cobra.(*Command).ExecuteC(0x176e760, 0x177ee60, 0x0, 0xc000058778)
	github.com/spf13/[email protected]/command.go:974 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/[email protected]/command.go:902
github.com/ossf/scorecard/v4/cmd.Execute()
	github.com/ossf/scorecard/v4/cmd/root.go:104 +0x31
main.main()
	github.com/ossf/scorecard/v4/main.go:[21](https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486680969?check_suite_focus=true#step:4:21) +0x[25](https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486680969?check_suite_focus=true#step:4:25)

Scope of the token

[laurentsimon]

2022/03/09 20:42:28 unable to get tarball tarball not found: https://api.github.com/repos/ossf-tests/ossf-scorecard-action-private-repo-tests/tarball/. Skipping...
2022/03/09 20:42:28 internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
panic: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

seems to be what's failing, I think it has to do with the token ossf/scorecard#1097

[naveensrinivasan]

What is required here to make it run? Any workarounds?

[laurentsimon]

Need to be able to reproduce the problem. githubv4.Query is a problem we came across when using default GITHUB_TOKEN, but not PATs. Can confirm verify the PAT is still valid, ie not expired?

I suppose no commit means no tarball, hence why it's failing. If that's the case, it's a scorecard issue rather than a scorecard action issue. wdut?

[naveensrinivasan]

Need to be able to reproduce the problem. githubv4.Query is a problem we came across when using default GITHUB_TOKEN, but not PATs. Can confirm verify the PAT is still valid, ie not expired?

I just created a token for this and I am sure it is not expired.

I suppose no commit means no tarball, hence why it's failing. If that's the case, it's a scorecard issue rather than a scorecard action issue. wdut?

I agree. @azeemshaikh38 I think this scorecard issue. Thoughts?

[azeemshaikh38]

Failing to get tarball itself is an issue we should investigate, but also not able to fetch tarball will not result in 0 commits. Makes me feel like this is a token permission problem.

@naveensrinivasan could you confirm that the token you are using has the right permissions? Note that you'll need to give the token full permissions to read your private repos.

[naveensrinivasan]

@azeemshaikh38 Here is the permission

also I am not using the standard GitHub token

[azeemshaikh38]

Looks like the Scorecard run is now succeeding? - https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486754792?check_suite_focus=true

The new error has to do with enabling Advanced Security - https://github.blog/changelog/2021-01-07-github-advanced-security-can-now-be-enabled-disabled-at-the-repository-or-organization-level/

[laurentsimon]

Good find, I've added this to the list of doc update we need to do #80

[azeemshaikh38]

Might also want to include in documentation that private repo PATs require more scope than just :public_repo.

[laurentsimon]

it's included by default, AFAIK

[azeemshaikh38]

I think we need the full control of private repo scope which isn't default from what I see here - https://github.com/ossf/scorecard-action/#authentication

[naveensrinivasan]

Looks like the Scorecard run is now succeeding? - https://github.com/ossf-tests/ossf-scorecard-action-private-repo-tests/runs/5486754792?check_suite_focus=true

The new error has to do with enabling Advanced Security - https://github.blog/changelog/2021-01-07-github-advanced-security-can-now-be-enabled-disabled-at-the-repository-or-organization-level/

We can't do that for private repo. We need to buy that feature

[laurentsimon]

+1 on verifying this, looks like you may be right and that public_repo only gives access to public repos https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

[laurentsimon]

I have an org to test which has access to enterprise for private repo: https://github.com/test-organization-ls. Tell me a repo name you want, I'll create it

[naveensrinivasan]

scorecard-action-private-repo-tests

[laurentsimon]

done https://github.com/test-organization-ls/scorecard-action-private-repo-tests
It's public for now, can change once we have populated the info (sent you an invite)

[naveensrinivasan]

done https://github.com/test-organization-ls/scorecard-action-private-repo-tests
It's public for now, can change once we have populated the info (sent you an invite)

OK, I will wait for it.

[naveensrinivasan]

OK, I was able to create a scorecard action in a private repository.

https://github.com/test-organization-ls/scorecard-action-private-repo-tests

If the action fails it create an issue in scorecard-action repository

name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '0 2 * * *'
  push:
    branches: [ main ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      actions: read
      contents: read

    steps:
      - name: "Checkout code"
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@main
        with:
          results_file: results.sarif
          results_format: sarif
          # Read-only PAT token. To create it,
          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories, `publish_results` will automatically be set to `false`,
          # regardless of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional).
      - name: "Upload artifact"
        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
        with:
          sarif_file: results.sarif
  run-if-failed:
    runs-on: ubuntu-latest
    needs: [analysis]
    if: always() && (needs.analysis.result == 'failure')
    steps:
      - name: Create issue
        uses: bryannice/gitactions-git-issue-creation@cec3e85f7c6b9038833f612e9503a2fa79ec6cfb
        env:
          GITHUB_TOKEN: ${{ secrets.SCORECARD_TOKEN }}
          GITHUB_COMMIT_SHA: ${{ github.sha }}
          GITHUB_REPO_OWNER: 'ossf'
          GITHUB_REPO_NAME: 'scorecard-action'
          GITHUB_ISSUE_TITLE: 'test-organization-ls/scorecard-action-private-repo-tests failed'
          GITHUB_ISSUE_BODY: 'test-organization-ls/scorecard-action-private-repo-tests failed'

[laurentsimon]

This is cool!!