STRLCPY/scorecard

🌱 Setup cron for running as GitHub App (#2721)

* Update auth server to use GitHub App.

Signed-off-by: Spencer Schrock <[email protected]>

* Update release worker to use GitHub App tokens directly, as a workaround for the auth server not supporting it.

Signed-off-by: Spencer Schrock <[email protected]>

* Add Retry-After logic and stats.

Signed-off-by: Spencer Schrock <[email protected]>

* Change retry-after logic to support any status code. Disable troublesome checks.

Signed-off-by: Spencer Schrock <[email protected]>

* Use GitHub App Token instead of auth server.

Signed-off-by: Spencer Schrock <[email protected]>

* Temporarily disable additional chhecks.

Signed-off-by: Spencer Schrock <[email protected]>

* Disable github auth server as it doesn't work with the GitHub App Tokens.

Signed-off-by: Spencer Schrock <[email protected]>

* Re-enable Fuzzing check in the release test.

Signed-off-by: Spencer Schrock <[email protected]>

* Fix unit test for new check change.

Signed-off-by: Spencer Schrock <[email protected]>

* Move opencensus stat to the ratelimit roundtripped.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

Spencer Schrock committed with GitHub 1 year ago

0169c375

1 parent d708c6c5

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 8 files Show one by one

■ ■ ■ ■ ■ ■

clients/githubrepo/roundtripper/rate_limit.go

		skipped 19 lines
20	20		"strconv"
21	21		"time"
22	22
	23	+	"go.opencensus.io/stats"
	24	+
	25	+	githubstats "github.com/ossf/scorecard/v4/clients/githubrepo/stats"
23	26		sce "github.com/ossf/scorecard/v4/errors"
24	27		"github.com/ossf/scorecard/v4/log"
25	28		)
		skipped 18 lines
44	47		if err != nil {
45	48		return nil, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("innerTransport.RoundTrip: %v", err))
46	49		}
	50	+
	51	+	retryValue := resp.Header.Get("Retry-After")
	52	+	if retryAfter, err := strconv.Atoi(retryValue); err == nil { // if NO error
	53	+	stats.Record(r.Context(), githubstats.RetryAfter.M(int64(retryAfter)))
	54	+	duration := time.Duration(retryAfter) * time.Second
	55	+	gh.logger.Info(fmt.Sprintf("Retry-After header set. Waiting %s to retry...", duration))
	56	+	time.Sleep(duration)
	57	+	gh.logger.Info("Retry-After header set. Retrying...")
	58	+	return gh.RoundTrip(r)
	59	+	}
	60	+
47	61		rateLimit := resp.Header.Get("X-RateLimit-Remaining")
48	62		remaining, err := strconv.Atoi(rateLimit)
49	63		if err != nil {
		skipped 23 lines

■ ■ ■ ■ ■ ■

clients/githubrepo/roundtripper/transport.go

skipped 63 lines
64 64 if err == nil {
65 65 stats.Record(ctx, githubstats.RemainingTokens.M(int64(remaining)))
66 66 }
67 +
67 68 return resp, nil
68 69 }
69 70

All occurrences

■ ■ ■ ■ ■ ■

clients/githubrepo/stats/stats.go

		skipped 23 lines
24	24		// RemainingTokens measures the remaining number of API tokens.
25	25		RemainingTokens = stats.Int64("RemainingTokens",
26	26		"Measures the remaining count of API tokens", stats.UnitDimensionless)
27		-
	27	+	// RetryAfter measures the retry delay when dealing with secondary rate limits.
	28	+	RetryAfter = stats.Int64("RetryAfter",
	29	+	"Measures the retry delay when dealing with secondary rate limits", stats.UnitSeconds)
28	30		// TokenIndex is the tag key for specifying a unique token.
29	31		TokenIndex = tag.MustNewKey("tokenIndex")
30	32		// ResourceType specifies the type of GitHub resource.
		skipped 12 lines

■ ■ ■ ■ ■ ■

cron/config/config.yaml

		skipped 42 lines
43	43		api-results-bucket-url: gs://ossf-scorecard-cron-results
44	44		# TODO: Temporarily remove SAST and CI-Tests which require lot of GitHub API tokens.
45	45		# TODO(#859): Re-add Contributors after fixing inconsistencies.
46		-	blacklisted-checks: CI-Tests,Contributors
	46	+	# TODO: Dependency-Update-Tool, Fuzzing, and SAST are search heavy
	47	+	# TODO: Vulnerabilities is resource intensive, wait until the next osv-scanner release after v1.2.0
	48	+	blacklisted-checks: CI-Tests,Contributors,Dependency-Update-Tool,Fuzzing,SAST,Vulnerabilities
47	49		cii-data-bucket-url: gs://ossf-scorecard-cii-data
48	50		# Raw results.
49	51		raw-bigquery-table: scorecard-rawdata
		skipped 2 lines

■ ■ ■ ■ ■ ■

cron/config/config_test.go

		skipped 33 lines
34	34		prodCompletionThreshold = 0.99
35	35		prodWebhookURL = ""
36	36		prodCIIDataBucket = "gs://ossf-scorecard-cii-data"
37		-	prodBlacklistedChecks = "CI-Tests,Contributors"
	37	+	prodBlacklistedChecks = "CI-Tests,Contributors,Dependency-Update-Tool,Fuzzing,SAST,Vulnerabilities"
38	38		prodShardSize int = 10
39	39		prodMetricExporter string = "stackdriver"
40	40		prodMetricStackdriverPrefix string = "scorecard-cron"
		skipped 495 lines

■ ■ ■ ■ ■ ■

cron/k8s/auth.yaml

		skipped 30 lines
31	31		metadata:
32	32		name: scorecard-github-server
33	33		spec:
34		-	replicas: 1
	34	+	replicas: 0
35	35		selector:
36	36		matchLabels:
37	37		app.kubernetes.io/name: github-auth-server
		skipped 21 lines

■ ■ ■ ■ ■ ■

cron/k8s/worker.release.yaml

		skipped 28 lines
29	29		containers:
30	30		- name: worker
31	31		image: gcr.io/openssf/scorecard-batch-worker:latest
32		-	args: ["--ignoreRuntimeErrors=false", "--config=/etc/scorecard/config.yaml"]
	32	+	args: ["--ignoreRuntimeErrors=true", "--config=/etc/scorecard/config.yaml"]
33	33		imagePullPolicy: Always
34	34		env:
35	35		- name: SCORECARD_DATA_BUCKET_URL
		skipped 4 lines
40	40		value: "gcppubsub://projects/openssf/subscriptions/scorecard-batch-worker-releasetest"
41	41		- name: SCORECARD_METRIC_EXPORTER
42	42		value: "printer"
43		-	- name: GITHUB_AUTH_SERVER
44		-	value: "10.4.4.210:80"
	43	+	- name: GITHUB_APP_KEY_PATH
	44	+	value: /etc/github/app_key
	45	+	- name: GITHUB_APP_ID
	46	+	valueFrom:
	47	+	secretKeyRef:
	48	+	name: github
	49	+	key: app_id
	50	+	- name: GITHUB_APP_INSTALLATION_ID
	51	+	valueFrom:
	52	+	secretKeyRef:
	53	+	name: github
	54	+	key: installation_id
45	55		- name: "SCORECARD_API_RESULTS_BUCKET_URL"
46	56		value: "gs://ossf-scorecard-cron-releasetest-results"
	57	+	- name: "SCORECARD_BLACKLISTED_CHECKS"
	58	+	value: "CI-Tests,Contributors,Dependency-Update-Tool,SAST"
47	59		resources:
48	60		requests:
49	61		memory: 5Gi
		skipped 5 lines
55	67		- name: config-volume
56	68		mountPath: /etc/scorecard
57	69		readOnly: true
	70	+	- name: github-app-key
	71	+	mountPath: "/etc/github/"
	72	+	readOnly: true
58	73		volumes:
59	74		- name: config-volume
60	75		configMap:
61	76		name: scorecard-config
	77	+	- name: github-app-key
	78	+	secret:
	79	+	secretName: github
62	80		strategy:
63	81		type: "RollingUpdate"
64	82		rollingUpdate:
		skipped 3 lines

■ ■ ■ ■ ■ ■

cron/k8s/worker.yaml

		skipped 31 lines
32	32		args: ["--ignoreRuntimeErrors=true", "--config=/etc/scorecard/config.yaml"]
33	33		imagePullPolicy: Always
34	34		env:
35		-	- name: GITHUB_AUTH_SERVER
36		-	value: "10.4.4.210:80"
	35	+	- name: GITHUB_APP_KEY_PATH
	36	+	value: /etc/github/app_key
	37	+	- name: GITHUB_APP_ID
	38	+	valueFrom:
	39	+	secretKeyRef:
	40	+	name: github
	41	+	key: app_id
	42	+	- name: GITHUB_APP_INSTALLATION_ID
	43	+	valueFrom:
	44	+	secretKeyRef:
	45	+	name: github
	46	+	key: installation_id
37	47		resources:
38	48		requests:
39	49		memory: 5Gi
		skipped 5 lines
45	55		- name: config-volume
46	56		mountPath: /etc/scorecard
47	57		readOnly: true
	58	+	- name: github-app-key
	59	+	mountPath: "/etc/github/"
	60	+	readOnly: true
48	61		volumes:
49	62		- name: config-volume
50	63		configMap:
51	64		name: scorecard-config
	65	+	- name: github-app-key
	66	+	secret:
	67	+	secretName: github
52	68		strategy:
53	69		type: "RollingUpdate"
54	70		rollingUpdate:
		skipped 3 lines

		skipped 63 lines
64	64		if err == nil {
65	65		stats.Record(ctx, githubstats.RemainingTokens.M(int64(remaining)))
66	66		}
	67	+
67	68		return resp, nil
68	69		}
69	70