|
def _get_git_tarball_url(self, repo: str, version=None) -> str: |
|
if not version: |
|
return f"https://api.github.com/repos/{repo}/zipball" |
|
else: |
|
return f"https://github.com/{repo}/archive/refs/tags/{version}.zip" |
When commit-sha is used the url should be:
f"https://github.com/{repo}/archive/{version}.zip"
and if branch would be used:
f"https://github.com/{repo}/archive/refs/heads/{version}.zip"
Matching could be done for commit-sha since it has a pattern; content, length
However there is a bigger issue with branch vs tag.
This is version 2.9.0 affects both scan and verify since it's the same code used.
guarddog/guarddog/scanners/github_action_scanner.py
Lines 51 to 55 in 983410f
When commit-sha is used the url should be:
f"https://github.com/{repo}/archive/{version}.zip"and if branch would be used:
f"https://github.com/{repo}/archive/refs/heads/{version}.zip"Matching could be done for commit-sha since it has a pattern; content, length
However there is a bigger issue with branch vs tag.
This is version 2.9.0 affects both scan and verify since it's the same code used.