Default branch is null for event of type `schedule`

[Jolg42]

The part of the code implicated might be
https://github.com/ossf/scorecard-action/blob/main/entrypoint.sh#L52

Action https://github.com/prisma/prisma/actions/runs/1849483308/workflow

name: Scorecards supply-chain security
on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '21 21 * * 2'
  push:
    branches: [main]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      actions: read
      contents: read

    steps:
      - name: 'Checkout code'
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: 'Run analysis'
        uses: ossf/scorecard-action@v1.0.3
        with:
          results_file: results.sarif
          results_format: sarif
          # Read-only PAT token. To create it,
          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories, `publish_results` will automatically be set to `false`,
          # regardless of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional).
      - name: 'Upload artifact'
        uses: actions/upload-artifact@v2.3.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: 'Upload to code-scanning'
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif

...

Logs https://github.com/prisma/prisma/runs/5207383913?check_suite_focus=true#step:5:16

Event file: /github/workflow/event.json
Event name: schedule
Ref: refs/heads/main
Repository: null
Private repository: null
Publication enabled: true
Format: sarif
Policy file: /policy.yml
Default branch: refs/heads/null
refs/heads/main not supported with 'schedule' event.
Only the default branch 'refs/heads/null' is supported

This shows that the default branch is not detected (detected as null). It should have been detected as main

refs/heads/main not supported with 'schedule' event.
Only the default branch 'refs/heads/null' is supported

[schaefi]

I'm having the exact same issue. The actual creation of the analysis data works nicely. However, when the cron based schedule is started as an action I get the same error as described above:

https://github.com/OSInside/kiwi/runs/5213545226?check_suite_focus=true

Thanks

[laurentsimon]

Thanks for the report. We believe we've fixed it at head -- see #73

I'll cut a release tomorrow and this should fix it. Sorry for the inconvenience. cc @azeemshaikh38

Anything else you'd like us to improve on, feel free to create a tracking issue for it!

[schaefi]

Great news thanks much for the quick turnaround 👍

[laurentsimon]

I've released the fix. Closing. Please re-open if the fix is not effective

[schaefi]

I've released the fix. Closing. Please re-open if the fix is not effective

I've updated the workflow to v1.0.4 which I assume is the version you have released the fix with. I'll report back in terms it does not work for me. Thank you

[laurentsimon]

please report even if it works, so that we can confidently say this is fixed

[dirien]

hi @laurentsimon,

Its not working for me! I am on 1.0.4

here is the build -> https://github.com/SchwarzIT/node-red-chart/runs/5304079801?check_suite_focus=true

[laurentsimon]

Thanks for the report. I tried just now on a test repo and it worked https://github.com/laurentsimon/scorecard-action-test-2/runs/5310937149?check_suite_focus=true

I ran the command we use in the action that retrieves the values that are null in your run (https://github.com/ossf/scorecard-action/blob/main/entrypoint.sh#L50-L54):

export REPO=SchwarzIT/node-red-chart
curl -s https://api.github.com/repos/$REPO | jq -r '.default_branch'

and it works.

Could you run the command above with your PAT token, as in these lines https://github.com/ossf/scorecard-action/blob/main/entrypoint.sh#L50-L54? Either there's something special about your PAT, or something special about your repo when it runs on push (?)

If that does not help us figure the problem, I'll create a branch that prints the results of API calls and we can see what's happening.

Thanks!

[dirien]

hi @laurentsimon,

it works now, I recreated the PAT token. I don't know what could be the reason? Maybe PAT not valid anymore (dont know if I set the date no never experire or standard 30d).

Nevertheless, thanks for the help and your work!

[laurentsimon]

Nice!

It would be useful to use your old PAT and see the results of the curl command above, if you still have the PAT saved and available :-)

[schaefi]

please report even if it works, so that we can confidently say this is fixed

I can confirm it works again in my workflow. uploading failed but that could be an issue on my side. Thanks

[laurentsimon]

Thanks, closing this issue then.