Summary

This action is not respecting the GitHub API URL provided from the context / environment.

Details

Running this action on a self-hosted GitHub Enterprise Server (GHES) instance with a pull_request trigger fails with the following log entry:

quickview
      ✓ Provenance obtained from attestation
      ✓ SBOM obtained from attestation, 265 packages indexed
      ! Policy evaluation skipped: %w no organization configured, use --org or run 'docker scout config' to view policy results
  Error: GET https://api.github.com/repos/<org_name>/<repo_name>/issues/56/comments?direction=desc&per_page=10&sort=updated: 401 Bad credentials []

The issue is that it tries to access api.github.com with the job credentials for our private GHES instance.

Proposed Solutions

Solution 1

This action should not not hardcode the API URL, but use the GitHub context variable ${{ github.api_url }} or its respective mapped environment variable $GITHUB_API_URL. See the GitHub Actions documentaion for further details.

Solution 2

Add an input to configure the API URL and default it to ${{ github.api_url }} as suggested in #15