feat: Add results file input for Scorecard data#90
Open
justaugustus wants to merge 4 commits intomainfrom
Open
feat: Add results file input for Scorecard data#90justaugustus wants to merge 4 commits intomainfrom
justaugustus wants to merge 4 commits intomainfrom
Conversation
This was referenced Jan 25, 2025
Signed-off-by: Jeff Mendoza <jlm@jlm.name>
Add a `local-results-path` Action input that enables reading Scorecard results from a local JSON file instead of the public Scorecard API. This enables integration with tools like Allstar that produce Scorecard results locally. When `local-results-path` is set: - Scores are read from the specified file (Scorecard JSON v2 format) - The `scope` input is not required (repos are discovered from results) - Database enrichment (history, deltas) works identically to API mode When `local-results-path` is not set: - Existing API-based behavior is preserved (no changes) This replaces the experimental hardcoded local results hack (51b8e77) with a proper, configurable implementation that supports both modes. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
justaugustus
force-pushed
the
local-results
branch
from
51b8e77 to
a881223
Compare
justaugustus
changed the title
6 tasks
Drop "local" from naming throughout: - Action input: local-results-path -> results-path - Variables: localResultsPath -> resultsPath - Functions: parseLocalResults -> parseResults The results file can come from any source — Allstar, Scorecard CLI with --org, or a CI pipeline. "Local" implied a contrast with "remote" that isn't meaningful for the input. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
justaugustus
changed the title
Add documentation for the new results-path input: - Option description in the Options section - Usage example showing how to use a Scorecard results file (from scorecard --org, Allstar, or other sources) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
justaugustus
changed the title
justaugustus
added a commit
to uwu-tools/.github
that referenced
this pull request
Mar 28, 2026
Update the Allstar workflow to: - Use the results-json-output branch (includes SARIF upload + results file output) - Pass -results-file to produce Scorecard JSON v2 output - Add a monitor job that feeds the results into scorecard-monitor for dashboard reporting The monitor job uses scorecard-monitor's results-path input (ossf/scorecard-monitor#90) to consume Allstar's output and generate a Markdown report with score history. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
justaugustus
added a commit
to uwu-tools/.github
that referenced
this pull request
Mar 28, 2026
Update the Allstar workflow to: - Use the results-json-output branch (includes SARIF upload + results file output) - Pass -results-file to produce Scorecard JSON v2 output - Add a monitor job that feeds the results into scorecard-monitor for dashboard reporting - Use peter-evans/create-pull-request for human review of report updates (matching bloomberg/.github pattern) The monitor job uses scorecard-monitor's results-path input (ossf/scorecard-monitor#90) to consume Allstar's output and generate a Markdown report with score history. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
3 tasks
justaugustus
added a commit
to uwu-tools/.github
that referenced
this pull request
Mar 28, 2026
* ci: add scorecard-monitor integration with results file Update the Allstar workflow to: - Use the results-json-output branch (includes SARIF upload + results file output) - Pass -results-file to produce Scorecard JSON v2 output - Add a monitor job that feeds the results into scorecard-monitor for dashboard reporting - Use peter-evans/create-pull-request for human review of report updates (matching bloomberg/.github pattern) The monitor job uses scorecard-monitor's results-path input (ossf/scorecard-monitor#90) to consume Allstar's output and generate a Markdown report with score history. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev> * Apply suggestions from code review Co-authored-by: Stephen Augustus <justaugustus@users.noreply.github.com> Signed-off-by: Stephen Augustus <justaugustus@users.noreply.github.com> --------- Signed-off-by: Stephen Augustus <foo@auggie.dev> Signed-off-by: Stephen Augustus <justaugustus@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a
results-pathAction input that enables reading Scorecard results from a JSON file instead of the public Scorecard API. This enables integration with tools that produce Scorecard results directly, such as Allstar and Scorecard's own--orgmulti-repo scanning (ossf/scorecard#4793).Supersedes the experimental hack from commit 51b8e77 with a proper, configurable implementation that supports both API and file-based results modes.
Changes
results-pathinput; makescopenot required (repos discovered from results)generateScores()to support both API and file-based results via conditional logic. Both paths converge to the same database enrichment (history, deltas, report generation). Remove hardcodedrequire('../results.json').resultsPathtogenerateScores(); skip scope validation when results file is provided.nccresults-pathinput and add usage exampleResults file format
The input file should contain an array of Scorecard JSON v2 results:
[ { "date": "2026-03-28T15:30:00Z", "repo": { "name": "github.com/org/repo", "commit": "abc123..." }, "score": 6.6, "checks": [...] } ]Usage
Related PRs
-results-fileflag to Allstar (producing end)--orgmulti-repo scanningTest plan
results-pathnot set)🤖 Generated with Claude Code