From fdeb02dc9c3fb721c82a431b2708514aca13dbeb Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Mon, 12 Aug 2024 03:00:38 -0700
Subject: [PATCH] fix result file path issues (#1428)

There were two issues at play that prevented the binary from reading the
correct results file:

1. The paths were not joined with a separator. This led to file not
   found errors, as the file was saved in the wrong place with the wrong
   name.
2. The signing code tried to read the file from the current working
   directory instead of the GitHub workspace directory.

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 internal/scorecard/format.go | 3 ++-
 main.go                      | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/internal/scorecard/format.go b/internal/scorecard/format.go
index 526e75a2..348804ff 100644
--- a/internal/scorecard/format.go
+++ b/internal/scorecard/format.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/ossf/scorecard-action/options"
@@ -45,7 +46,7 @@ func Format(result *scorecard.Result, opts *options.Options) error {
 	}
 
 	// write results to both stdout and result file
-	resultFile, err := os.Create(opts.GithubWorkspace + opts.InputResultsFile)
+	resultFile, err := os.Create(filepath.Join(opts.GithubWorkspace, opts.InputResultsFile))
 	if err != nil {
 		return fmt.Errorf("creating result file: %w", err)
 	}
diff --git a/main.go b/main.go
index 3a79c92e..0773d937 100644
--- a/main.go
+++ b/main.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"path/filepath"
 
 	"github.com/ossf/scorecard-action/internal/scorecard"
 	"github.com/ossf/scorecard-action/options"
@@ -61,7 +62,8 @@ func main() {
 			}
 		}
 
-		jsonPayload, err := os.ReadFile(opts.InputResultsFile)
+		resultFile := filepath.Join(opts.GithubWorkspace, opts.InputResultsFile)
+		jsonPayload, err := os.ReadFile(resultFile)
 		if err != nil {
 			log.Fatalf("reading json scorecard results: %v", err)
 		}
@@ -74,7 +76,7 @@ func main() {
 			log.Fatalf("error SigningNew: %v", err)
 		}
 		// TODO: does it matter if this is hardcoded as results.json or not?
-		if err = s.SignScorecardResult(opts.InputResultsFile); err != nil {
+		if err = s.SignScorecardResult(resultFile); err != nil {
 			log.Fatalf("error signing scorecard json results: %v", err)
 		}