Merge pull request #6 from Contrast-Security-OSS/PRODSEC-462

Prodsec 462 - fix policyUrl context

Author: DavidMContrast

CHANGELOG.md

@@ -4,8 +4,14 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [v1.0.4](https://github.com/Contrast-Security-OSS/actionbot/compare/v1.0.3...v1.0.4)
+
+- fix: policyUrl getContents was using context owner and repo [`71e65a3`](https://github.com/Contrast-Security-OSS/actionbot/commit/71e65a36efa30aff6fc8c7e53abdb462131bf2f3)
+
 #### [v1.0.3](https://github.com/Contrast-Security-OSS/actionbot/compare/v1.0.0...v1.0.3)
 
+> 1 May 2025
+
 - Bump eslint-plugin-github from 5.1.8 to 6.0.0 [`#1`](https://github.com/Contrast-Security-OSS/actionbot/pull/1)
 - Migration build [`#3`](https://github.com/Contrast-Security-OSS/actionbot/pull/3)
 - Migrate @actions/github from 4.0.0 to 6.0.0 [`#2`](https://github.com/Contrast-Security-OSS/actionbot/pull/2)

lib/index.js

@@ -39024,16 +39024,15 @@ function run(context) {
                 });
             }
             else {
-                // Correctly extract the file path from the policyUrl
-                const filePath = policyUrl
-                    .replace("https://github.com/", "")
-                    .split("/")
-                    .slice(4) // Start after 'blob/main'
-                    .join("/");
+                // Extract owner, repo, and file path from the policyUrl
+                const urlParts = policyUrl.replace("https://github.com/", "").split("/");
+                const owner = urlParts[0]; // Extract the owner
+                const repo = urlParts[1]; // Extract the repository name
+                const filePath = urlParts.slice(4).join("/"); // Extract the file path after 'blob/{branch}'
                 const response = yield client.rest.repos.getContent({
-                    owner: github.context.repo.owner,
-                    repo: github.context.repo.repo,
-                    path: filePath, // Use the corrected file path
+                    owner: owner, // Use the extracted owner
+                    repo: repo, // Use the extracted repo
+                    path: filePath, // Use the extracted file path
                 });
                 if (response.data && "content" in response.data) {
                     const content = Buffer.from(response.data.content, "base64").toString("utf-8");

package.json

@@ -1,6 +1,6 @@
 {
   "name": "actionbot",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "private": true,
   "description": "Github Action Policy Checker as a Github Action",
   "main": "lib/index.js",

src/main.ts

@@ -171,17 +171,16 @@ async function run(context: typeof github.context): Promise<void> {
           // Handle the error appropriately (e.g., throw an error, set a default policy)
         });
     } else {
-      // Correctly extract the file path from the policyUrl
-      const filePath = policyUrl
-        .replace("https://github.com/", "")
-        .split("/")
-        .slice(4) // Start after 'blob/main'
-        .join("/");
+      // Extract owner, repo, and file path from the policyUrl
+      const urlParts = policyUrl.replace("https://github.com/", "").split("/");
+      const owner = urlParts[0]; // Extract the owner
+      const repo = urlParts[1]; // Extract the repository name
+      const filePath = urlParts.slice(4).join("/"); // Extract the file path after 'blob/{branch}'
 
       const response = await client.rest.repos.getContent({
-        owner: github.context.repo.owner,
-        repo: github.context.repo.repo,
-        path: filePath, // Use the corrected file path
+        owner: owner, // Use the extracted owner
+        repo: repo, // Use the extracted repo
+        path: filePath, // Use the extracted file path
       });
 
       if (response.data && "content" in response.data) {