🌱 Allow for publish URL override

action.yaml

@@ -37,6 +37,11 @@ inputs:
     required: false
     default: false
 
+  internal_publish_base_url:
+    description: "INPUT: Base URL for publishing results. Used for testing."
+    required: false
+    default: "https://api.securityscorecards.dev"
+
   internal_default_token:
     description: "INPUT: Default GitHub token. (Internal purpose only, not intended for developers to set. Used for pull requests configured with a PAT)."
     required: false
@@ -48,4 +53,4 @@ branding:
 
 runs:
   using: "docker"
-  image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-alpha.1"
+  image: "docker://gcr.io/openssf/scorecard-action:v2.0.0-alpha.2"

options/env.go

@@ -38,11 +38,12 @@ const (
 
 	// TODO(input): INPUT_ constants should be removed in a future release once
 	//              they have replacements in upstream scorecard.
-	EnvInputRepoToken         = "INPUT_REPO_TOKEN"             //nolint:gosec
-	EnvInputInternalRepoToken = "INPUT_INTERNAL_DEFAULT_TOKEN" //nolint:gosec
-	EnvInputResultsFile       = "INPUT_RESULTS_FILE"
-	EnvInputResultsFormat     = "INPUT_RESULTS_FORMAT"
-	EnvInputPublishResults    = "INPUT_PUBLISH_RESULTS"
+	EnvInputRepoToken              = "INPUT_REPO_TOKEN"             //nolint:gosec
+	EnvInputInternalRepoToken      = "INPUT_INTERNAL_DEFAULT_TOKEN" //nolint:gosec
+	EnvInputResultsFile            = "INPUT_RESULTS_FILE"
+	EnvInputResultsFormat          = "INPUT_RESULTS_FORMAT"
+	EnvInputPublishResults         = "INPUT_PUBLISH_RESULTS"
+	EnvInputInternalPublishBaseURL = "INPUT_INTERNAL_PUBLISH_BASE_URL"
 )
 
 // Errors

signing/signing.go

@@ -33,8 +33,6 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 )
 
-const scorecardAPI = "https://api.securityscorecards.dev"
-
 // SignScorecardResult signs the results file and uploads the attestation to the Rekor transparency log.
 func SignScorecardResult(scorecardResultsFile string) error {
 	if err := os.Setenv("COSIGN_EXPERIMENTAL", "true"); err != nil {
@@ -108,10 +106,7 @@ func ProcessSignature(jsonPayload []byte, repoName, repoRef, accessToken string)
 
 	// Call scorecard-webapp-api to process and upload signature.
 	// Setup HTTP request and context.
-	apiURL := scorecardAPI
-	if scorecardURL, exists := os.LookupEnv("SCORECARD_API_URL"); exists {
-		apiURL = scorecardURL
-	}
+	apiURL := os.Getenv(options.EnvInputInternalPublishBaseURL)
 	rawURL := fmt.Sprintf("%s/projects/github.com/%s", apiURL, repoName)
 	parsedURL, err := url.Parse(rawURL)
 	if err != nil {

signing/signing_test.go

@@ -19,6 +19,8 @@ package signing
 import (
 	"os"
 	"testing"
+
+	"github.com/ossf/scorecard-action/options"
 )
 
 // TODO: For this test to work, fake the OIDC token retrieval with something like.
@@ -80,6 +82,7 @@ func Test_ProcessSignature(t *testing.T) {
 	repoName := "ossf-tests/scorecard-action"
 	repoRef := "refs/heads/main"
 	accessToken := os.Getenv("GITHUB_AUTH_TOKEN")
+	os.Setenv(options.EnvInputInternalPublishBaseURL, "https://api.securityscorecards.dev")
 
 	if err != nil {
 		t.Errorf("Error reading testdata:, %v", err)