Enable support for OpenSSF Badges instead of only scores

Author: rajbos

.github/workflows/test_action_locally.yml

@@ -0,0 +1,161 @@
+name: Test the action
+on: 
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  normal-run:
+    name: normal
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+      with:
+        node-version: '16.19.0'
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci   
+
+    - name: Build
+      run: npm run build
+
+    - name: Create the reporting folder
+      run: mkdir reporting        
+      
+    - uses: ./ # uses the action in the current directory
+      id: scorecard
+      with:
+        scope: reporting/scope.json
+        database: reporting/database.json
+        report: reporting/openssf-scorecard-report.md
+        discovery-enabled: true
+        discovery-orgs: UlisesGascon
+        # The token is needed to create issues, discovery mode and pushing changes in files
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    
+    - name: Show output in job summary
+      run: cat reporting/openssf-scorecard-report.md >> $GITHUB_STEP_SUMMARY
+
+    - name: Upload the output files
+      uses: actions/upload-artifact@v3
+      with:
+        name: report
+        path: reporting/*.*
+    
+    # todo: test the result files to see if they have content that is correct
+    - name: Test if the output files have content
+      run: |
+        # test if the markdown file has content
+        if [ -s reporting/openssf-scorecard-report.md ]; then
+          echo "The markdown file has content"
+        else
+          echo "The markdown file is empty"
+          exit 1
+        fi
+
+        # test if the database file has content
+        if [ -s reporting/database.json ]; then
+          echo "The database file has content"
+        else
+          echo "The database file is empty"
+          exit 1
+        fi
+
+        # test if the scope file has content
+        if [ -s reporting/scope.json ]; then
+          echo "The scope file has content"
+        else
+          echo "The scope file is empty"
+          exit 1
+        fi
+
+    - name: test the actions' output
+      env:
+        OUTPUT: ${{ steps.scorecard.outputs.scores }}
+      run: |
+        if [ -z "$OUTPUT" ]; then
+          echo "The output of the action is empty"
+          exit 1
+        else
+          echo "The output of the action is not empty, which is correct"
+        fi
+
+  with-badges-run:
+    name: wih OSSF badges
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+      with:
+        node-version: '16.19.0'
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci   
+
+    - name: Build
+      run: npm run build
+
+    - name: Create the reporting folder
+      run: mkdir reporting        
+      
+    - uses: ./ # uses the action in the current directory
+      with:
+        scope: reporting/scope.json
+        database: reporting/database.json
+        report: reporting/openssf-scorecard-report.md
+        discovery-enabled: true
+        discovery-orgs: UlisesGascon
+        # The token is needed to create issues, discovery mode and pushing changes in files
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        render-badge: true
+    
+    - name: Show output in job summary
+      run: cat reporting/openssf-scorecard-report.md >> $GITHUB_STEP_SUMMARY
+
+    - name: Upload the output files
+      uses: actions/upload-artifact@v3
+      with:
+        name: report
+        path: reporting/*.*
+
+    # todo: test the result files to see if they have content that is correct
+    - name: Test if the output files have content
+      run: |
+        # test if the markdown file has content
+        if [ -s reporting/openssf-scorecard-report.md ]; then
+          echo "The markdown file has content"
+        else
+          echo "The markdown file is empty"
+          exit 1
+        fi
+
+        # test if the database file has content
+        if [ -s reporting/database.json ]; then
+          echo "The database file has content"
+        else
+          echo "The database file is empty"
+          exit 1
+        fi
+
+        # test if the scope file has content
+        if [ -s reporting/scope.json ]; then
+          echo "The scope file has content"
+        else
+          echo "The scope file is empty"
+          exit 1
+        fi
+
+    - name: test the actions' output
+      env:
+        OUTPUT: ${{ steps.scorecard.outputs.scores }}
+      run: |
+        if [ -z "$OUTPUT" ]; then
+          echo "The output of the action is empty"
+          exit 1
+        else
+          echo "The output of the action is not empty, which is correct"
+        fi

README.md

@@ -109,10 +109,10 @@ jobs:
 - `max-request-in-parallel`: Defines the total HTTP Request that can be done in parallel
 - `discovery-enabled`: Defined if the discovery is enabled
 - `discovery-orgs`: List of organizations to be includes in the discovery, example: `discovery-orgs: owasp,nodejs`. The OpenSSF Scorecard API is case sensitive, please use the same organization name as in the github url, like: https://github.com/NodeSecure is `NodeSecure` and not `nodesecure`. [See example](https://github.com/NodeSecure/Governance/issues/21#issuecomment-1474770986)
-- `report-tags-enabled`: Defines if the markdown report must be created/updated around tags by default is disabled. This is useful if the report is going to be include in a file that has other content on it, like docusaurus docs site or similar.
-- `report-start-tag`: Defines the start tag, default `<!-- OPENSSF-SCORECARD-MONITOR:START -->`
-- `report-end-tag` Defines the closing tag, default `<!-- OPENSSF-SCORECARD-MONITOR:END -->`
-
+- `report-tags-enabled`: Defines if the markdown report must be created/updated around tags by default is disabled. This is useful if the report is going to be include in a file that has other content on it, like docusaurus docs site or similar
+- `report-start-tag` Defines the start tag, default `<!-- OPENSSF-SCORECARD-MONITOR:START -->`
+- `report-end-tag`: Defines the closing tag, default `<!-- OPENSSF-SCORECARD-MONITOR:END -->`
+- `render-badge`: Defines if the OpenSSF badge must be rendered in the reportor to only show the score
 
 ### Outputs
 

action.yml

@@ -55,6 +55,10 @@ inputs:
     description: 'Maximum number of HTTP requests to be executed in parallel'
     required: false
     default: "10"
+  render-badge:
+    description: 'Render the OSSF badge in the report'
+    required: false
+    default: "false"
 
 outputs:
   scores:

dist/index.js

@@ -27711,7 +27711,7 @@ const generateScope = async ({ octokit, orgs, scope, maxRequestInParallel }) =>
   return newScope
 }
 
-const generateScores = async ({ scope, database: currentDatabase, maxRequestInParallel, reportTagsEnabled }) => {
+const generateScores = async ({ scope, database: currentDatabase, maxRequestInParallel, reportTagsEnabled, renderBadge }) => {
   // @TODO: Improve deep clone logic
   const database = JSON.parse(JSON.stringify(currentDatabase))
   const platform = 'github.com'
@@ -27770,8 +27770,8 @@ const generateScores = async ({ scope, database: currentDatabase, maxRequestInPa
 
   core.debug('All the scores are already collected')
 
-  const reportContent = await generateReportContent(scores, reportTagsEnabled)
-  const issueContent = await generateIssueContent(scores)
+  const reportContent = await generateReportContent(scores, reportTagsEnabled, renderBadge)
+  const issueContent = await generateIssueContent(scores, renderBadge)
 
   // SET OUTPUTS
   core.setOutput('scores', scores)
@@ -27834,20 +27834,20 @@ const saveScore = ({ database, platform, org, repo, score, date, commit }) => {
   repoRef.current = { score, date, commit }
 }
 
-const generateReportContent = async (scores, reportTagsEnabled) => {
+const generateReportContent = async (scores, reportTagsEnabled, renderBadge) => {
   core.debug('Generating report content')
   const template = await readFile(__nccwpck_require__.ab + "report.ejs", 'utf8')
-  return ejs.render(template, { scores, reportTagsEnabled })
+  return ejs.render(template, { scores, reportTagsEnabled, renderBadge })
 }
 
-const generateIssueContent = async (scores) => {
+const generateIssueContent = async (scores, renderBadge) => {
   core.debug('Generating issue content')
   const scoresInScope = scores.filter(({ currentDiff }) => currentDiff)
   if (!scoresInScope.length) {
     return null
   }
   const template = await readFile(__nccwpck_require__.ab + "issue.ejs", 'utf8')
-  return ejs.render(template, { scores: scoresInScope })
+  return ejs.render(template, { scores: scoresInScope, renderBadge })
 }
 
 module.exports = {
@@ -28161,6 +28161,7 @@ async function run () {
   const reportTagsEnabled = normalizeBoolean(core.getInput('report-tags-enabled'))
   const startTag = core.getInput('report-start-tag') || '<!-- OPENSSF-SCORECARD-MONITOR:START -->'
   const endTag = core.getInput('report-end-tag') || '<!-- OPENSSF-SCORECARD-MONITOR:END -->'
+  const renderBadge = normalizeBoolean(core.getInput('render-badge'))
 
   // Error Handling
   if (!githubToken && [autoPush, autoCommit, generateIssue, discoveryEnabled].some(value => value)) {
@@ -28221,7 +28222,7 @@ async function run () {
 
   // PROCESS
   core.info('Generating scores...')
-  const { reportContent, issueContent, database: newDatabaseState } = await generateScores({ scope, database, maxRequestInParallel, reportTagsEnabled })
+  const { reportContent, issueContent, database: newDatabaseState } = await generateScores({ scope, database, maxRequestInParallel, reportTagsEnabled, renderBadge })
 
   core.info('Checking database changes...')
   const hasChanges = isDifferent(database, newDatabaseState)

dist/issue.ejs

@@ -13,7 +13,7 @@ There are changes in the following repositories:
 | -- | -- | -- | -- | -- | -- |
 <%_ } -%>
 <%_ scores.forEach( score => { -%>
-| [<%= score.org %>/<%= score.repo %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>) | [<%= score.commit.slice(0, 7) %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>/commit/<%= score.commit %>) | <%= score.score %> | <%= score.currentDiff || 0 %> | [Full Report](https://deps.dev/project/github/<%= score.org.toLowerCase() %>%2F<%= score.repo.toLowerCase() %>) | [Fix it](http://app.stepsecurity.io/securerepo?repo=<%= score.org %>/<%= score.repo %>) |
+| [<%= score.org %>/<%= score.repo %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>) | [<%= score.commit.slice(0, 7) %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>/commit/<%= score.commit %>) | <% if (!renderBadge) { -%><%= score.score %> <%_ } -%> <%_ if (renderBadge) { -%> [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/<%= score.org %>/<%= score.repo %>/badge)](https://api.securityscorecards.dev/projects/github.com/<%= score.org %>/<%= score.repo %>) <%_ } -%> | <%= score.currentDiff || 0 %> | [Full Report](https://deps.dev/project/github/<%= score.org.toLowerCase() %>%2F<%= score.repo.toLowerCase() %>) | [Fix it](http://app.stepsecurity.io/securerepo?repo=<%= score.org %>/<%= score.repo %>) |
 <%_ }); -%> 
 
 _Report generated by [UlisesGascon/openssf-scorecard-monitor](https://github.com/UlisesGascon/openssf-scorecard-monitor)._

dist/report.ejs

@@ -9,7 +9,7 @@
 | -- | -- | -- | -- | -- | -- | -- |
 <%_ } -%>
 <%_ scores.forEach( score => { -%>
-| [<%= score.org %>/<%= score.repo %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>) | [<%= score.commit.slice(0, 7) %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>/commit/<%= score.commit %>) | <%= score.score %> | <%= score.date %> | <%= score.currentDiff || 0 %> | [Full Report](https://deps.dev/project/github/<%= score.org.toLowerCase() %>%2F<%= score.repo.toLowerCase() %>) | [Fix it](http://app.stepsecurity.io/securerepo?repo=<%= score.org %>/<%= score.repo %>) |
+| [<%= score.org %>/<%= score.repo %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>) | [<%= score.commit.slice(0, 7) %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>/commit/<%= score.commit %>) | <% if (!renderBadge) { -%><%= score.score %> <%_ } -%><% if (renderBadge) { -%> [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/<%= score.org %>/<%= score.repo %>/badge)](https://api.securityscorecards.dev/projects/github.com/<%= score.org %>/<%= score.repo %>) <%_ } -%> | <%= score.date %> | <%= score.currentDiff || 0 %> | [Full Report](https://deps.dev/project/github/<%= score.org.toLowerCase() %>%2F<%= score.repo.toLowerCase() %>) | [Fix it](http://app.stepsecurity.io/securerepo?repo=<%= score.org %>/<%= score.repo %>) |
 <%_ }); -%>
 
 _Report generated by [UlisesGascon/openssf-scorecard-monitor](https://github.com/UlisesGascon/openssf-scorecard-monitor)._

src/action.js

@@ -31,6 +31,7 @@ async function run () {
   const reportTagsEnabled = normalizeBoolean(core.getInput('report-tags-enabled'))
   const startTag = core.getInput('report-start-tag') || '<!-- OPENSSF-SCORECARD-MONITOR:START -->'
   const endTag = core.getInput('report-end-tag') || '<!-- OPENSSF-SCORECARD-MONITOR:END -->'
+  const renderBadge = normalizeBoolean(core.getInput('render-badge'))
 
   // Error Handling
   if (!githubToken && [autoPush, autoCommit, generateIssue, discoveryEnabled].some(value => value)) {
@@ -91,7 +92,7 @@ async function run () {
 
   // PROCESS
   core.info('Generating scores...')
-  const { reportContent, issueContent, database: newDatabaseState } = await generateScores({ scope, database, maxRequestInParallel, reportTagsEnabled })
+  const { reportContent, issueContent, database: newDatabaseState } = await generateScores({ scope, database, maxRequestInParallel, reportTagsEnabled, renderBadge })
 
   core.info('Checking database changes...')
   const hasChanges = isDifferent(database, newDatabaseState)

src/index.js

@@ -98,7 +98,7 @@ const generateScope = async ({ octokit, orgs, scope, maxRequestInParallel }) =>
   return newScope
 }
 
-const generateScores = async ({ scope, database: currentDatabase, maxRequestInParallel, reportTagsEnabled }) => {
+const generateScores = async ({ scope, database: currentDatabase, maxRequestInParallel, reportTagsEnabled, renderBadge }) => {
   // @TODO: Improve deep clone logic
   const database = JSON.parse(JSON.stringify(currentDatabase))
   const platform = 'github.com'
@@ -157,8 +157,8 @@ const generateScores = async ({ scope, database: currentDatabase, maxRequestInPa
 
   core.debug('All the scores are already collected')
 
-  const reportContent = await generateReportContent(scores, reportTagsEnabled)
-  const issueContent = await generateIssueContent(scores)
+  const reportContent = await generateReportContent(scores, reportTagsEnabled, renderBadge)
+  const issueContent = await generateIssueContent(scores, renderBadge)
 
   // SET OUTPUTS
   core.setOutput('scores', scores)

src/utils.js

@@ -42,20 +42,20 @@ const saveScore = ({ database, platform, org, repo, score, date, commit }) => {
   repoRef.current = { score, date, commit }
 }
 
-const generateReportContent = async (scores, reportTagsEnabled) => {
+const generateReportContent = async (scores, reportTagsEnabled, renderBadge) => {
   core.debug('Generating report content')
   const template = await readFile(join(process.cwd(), 'templates/report.ejs'), 'utf8')
-  return ejs.render(template, { scores, reportTagsEnabled })
+  return ejs.render(template, { scores, reportTagsEnabled, renderBadge })
 }
 
-const generateIssueContent = async (scores) => {
+const generateIssueContent = async (scores, renderBadge) => {
   core.debug('Generating issue content')
   const scoresInScope = scores.filter(({ currentDiff }) => currentDiff)
   if (!scoresInScope.length) {
     return null
   }
   const template = await readFile(join(process.cwd(), 'templates/issue.ejs'), 'utf8')
-  return ejs.render(template, { scores: scoresInScope })
+  return ejs.render(template, { scores: scoresInScope, renderBadge })
 }
 
 module.exports = {

templates/issue.ejs

@@ -13,7 +13,7 @@ There are changes in the following repositories:
 | -- | -- | -- | -- | -- | -- |
 <%_ } -%>
 <%_ scores.forEach( score => { -%>
-| [<%= score.org %>/<%= score.repo %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>) | [<%= score.commit.slice(0, 7) %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>/commit/<%= score.commit %>) | <%= score.score %> | <%= score.currentDiff || 0 %> | [Full Report](https://deps.dev/project/github/<%= score.org.toLowerCase() %>%2F<%= score.repo.toLowerCase() %>) | [Fix it](http://app.stepsecurity.io/securerepo?repo=<%= score.org %>/<%= score.repo %>) |
+| [<%= score.org %>/<%= score.repo %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>) | [<%= score.commit.slice(0, 7) %>](https://<%= score.platform %>/<%= score.org %>/<%= score.repo %>/commit/<%= score.commit %>) | <% if (!renderBadge) { -%><%= score.score %> <%_ } -%> <%_ if (renderBadge) { -%> [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/<%= score.org %>/<%= score.repo %>/badge)](https://api.securityscorecards.dev/projects/github.com/<%= score.org %>/<%= score.repo %>) <%_ } -%> | <%= score.currentDiff || 0 %> | [Full Report](https://deps.dev/project/github/<%= score.org.toLowerCase() %>%2F<%= score.repo.toLowerCase() %>) | [Fix it](http://app.stepsecurity.io/securerepo?repo=<%= score.org %>/<%= score.repo %>) |
 <%_ }); -%> 
 
 _Report generated by [UlisesGascon/openssf-scorecard-monitor](https://github.com/UlisesGascon/openssf-scorecard-monitor)._