From 4dc98932dba5fbb822c4b5431fbd8b3bd960dd67 Mon Sep 17 00:00:00 2001
From: Mykola Mokhnach <mokhnach@gmail.com>
Date: Fri, 25 Oct 2024 22:25:18 +0200
Subject: [PATCH] ci: Only run FOSSA checks on the main repo (#20696)

---
 .github/workflows/fossa.yml |  13 +-
 scripts/install-fossa.sh    | 440 ------------------------------------
 2 files changed, 10 insertions(+), 443 deletions(-)
 delete mode 100755 scripts/install-fossa.sh

diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index bcac57564..27453656d 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -10,17 +10,24 @@ jobs:
   fossa-check:
     name: Run FOSSA Analysis
     runs-on: ubuntu-latest
+    env:
+      FOSSA_API_KEY: ${{secrets.FOSSA_API_KEY}}
     steps:
+      - name: Ignore forks
+        run: |
+          if [ -z "$FOSSA_API_KEY" ]; then
+            echo "FOSSA_API_KEY is empty. Is the job running in a forked repository?"
+            exit 0
+          fi
       - uses: actions/checkout@v4
         with:
           ref: master
       - name: Install dependencies
         uses: bahmutov/npm-install@v1
       - name: Install fossa-cli
-        run: ./scripts/install-fossa.sh -d
+        run: |
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
       - name: Run FOSSA analysis
         run: |
           fossa analyze
           fossa test
-    env:
-      FOSSA_API_KEY: ${{secrets.FOSSA_API_KEY}}
diff --git a/scripts/install-fossa.sh b/scripts/install-fossa.sh
deleted file mode 100755
index 1ec9c3def..000000000
--- a/scripts/install-fossa.sh
+++ /dev/null
@@ -1,440 +0,0 @@
-#!/bin/sh
-set -e
-# Code generated by godownloader on 2019-07-23T16:35:03Z. DO NOT EDIT.
-#
-
-usage() {
-  this=$1
-  cat <<EOF
-$this: download binaries for fossas/fossa-cli
-Usage: $this [-b] bindir [-d] [tag]
-  -b sets bindir or installation directory, Defaults to /usr/local/bin
-  -d turns on debug logging
-   [tag] is a tag from
-   https://github.com/fossas/fossa-cli/releases
-   If tag is missing, then the latest will be used.
- Generated by godownloader
-  https://github.com/goreleaser/godownloader
-EOF
-  exit 2
-}
-
-parse_args() {
-  #BINDIR is /usr/local/bin unless set be ENV
-  # over-ridden by flag below
-
-  BINDIR=${BINDIR:-/usr/local/bin}
-  while getopts "b:dh?x" arg; do
-    case "$arg" in
-      b) BINDIR="$OPTARG" ;;
-      d) log_set_priority 10 ;;
-      h | \?) usage "$0" ;;
-      x) set -x ;;
-    esac
-  done
-  shift $((OPTIND - 1))
-  TAG=$1
-}
-# this function wraps all the destructive operations
-# if a curl|bash cuts off the end of the script due to
-# network, either nothing will happen or will syntax error
-# out preventing half-done work
-execute() {
-  tmpdir=$(mktmpdir)
-  log_debug "downloading files into ${tmpdir}"
-  http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
-  # http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
-  # hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
-  srcdir="${tmpdir}"
-  (cd "${tmpdir}" && unzip -o "${TARBALL}")
-  log_debug "setting up bindir: $BINDIR"
-  mkdir -p "$BINDIR" 2> /dev/null || sudo mkdir -p "$BINDIR"
-  for binexe in "fossa" ; do
-    if [ "$OS" = "windows" ]; then
-      binexe="${binexe}.exe"
-    fi
-    log_debug "installing binary: $binexe"
-    cp "${srcdir}/${binexe}" "${BINDIR}/${binexe}" 2> /dev/null || sudo cp "${srcdir}/${binexe}" "${BINDIR}/"
-    log_info "installed ${BINDIR}/${binexe}"
-  done
-}
-is_supported_platform() {
-  platform=$1
-  found=1
-  case "$platform" in
-    windows/amd64) found=0 ;;
-    darwin/amd64) found=0 ;;
-    darwin/arm64) found=0 ;;
-    linux/amd64) found=0 ;;
-  esac
-  return $found
-}
-check_platform() {
-  if is_supported_platform "$PLATFORM"; then
-    # optional logging goes here
-    true
-  else
-    log_crit "platform $PLATFORM is not supported.  Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
-    exit 1
-  fi
-}
-tag_to_version() {
-  if [ -z "${TAG}" ]; then
-    log_info "checking GitHub for latest tag"
-  else
-    log_info "checking GitHub for tag '${TAG}'"
-  fi
-  REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
-  if test -z "$REALTAG"; then
-    log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
-    exit 1
-  fi
-  # if version starts with 'v', remove it
-  TAG="$REALTAG"
-  VERSION=${TAG#v}
-}
-adjust_format() {
-  # change format (tar.gz or zip) based on ARCH
-  case ${ARCH} in
-    windows) FORMAT=zip ;;
-  esac
-  true
-}
-adjust_os() {
-  # adjust archive name based on OS
-  true
-}
-adjust_arch() {
-  # adjust archive name based on ARCH
-  true
-}
-
-cat /dev/null <<EOF
-------------------------------------------------------------------------
-https://github.com/client9/shlib - portable posix shell functions
-Public domain - http://unlicense.org
-https://github.com/client9/shlib/blob/master/LICENSE.md
-but credit (and pull requests) appreciated.
-------------------------------------------------------------------------
-EOF
-is_command() {
-  command -v "$1" >/dev/null
-}
-echoerr() {
-  echo "$@" 1>&2
-}
-log_prefix() {
-  echo "$0"
-}
-_logp=6
-log_set_priority() {
-  _logp="$1"
-}
-log_priority() {
-  if test -z "$1"; then
-    echo "$_logp"
-    return
-  fi
-  [ "$1" -le "$_logp" ]
-}
-log_tag() {
-  case $1 in
-    0) echo "emerg" ;;
-    1) echo "alert" ;;
-    2) echo "crit" ;;
-    3) echo "err" ;;
-    4) echo "warning" ;;
-    5) echo "notice" ;;
-    6) echo "info" ;;
-    7) echo "debug" ;;
-    *) echo "$1" ;;
-  esac
-}
-log_debug() {
-  log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
-}
-log_info() {
-  log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
-}
-log_err() {
-  log_priority 3 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
-}
-log_crit() {
-  log_priority 2 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
-}
-uname_os() {
-  os=$(uname -s | tr '[:upper:]' '[:lower:]')
-  case "$os" in
-    msys_nt) os="windows" ;;
-  esac
-  echo "$os"
-}
-uname_arch() {
-  arch=$(uname -m)
-  case $arch in
-    x86_64) arch="amd64" ;;
-    arm64) arch="arm64" ;;
-    x86) arch="386" ;;
-    i686) arch="386" ;;
-    i386) arch="386" ;;
-    aarch64) arch="arm64" ;;
-    armv5*) arch="armv5" ;;
-    armv6*) arch="armv6" ;;
-    armv7*) arch="armv7" ;;
-  esac
-  echo ${arch}
-}
-uname_os_check() {
-  os=$(uname_os)
-  case "$os" in
-    darwin) return 0 ;;
-    dragonfly) return 0 ;;
-    freebsd) return 0 ;;
-    linux) return 0 ;;
-    android) return 0 ;;
-    nacl) return 0 ;;
-    netbsd) return 0 ;;
-    openbsd) return 0 ;;
-    plan9) return 0 ;;
-    solaris) return 0 ;;
-    windows) return 0 ;;
-  esac
-  log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
-  return 1
-}
-uname_arch_check() {
-  arch=$(uname_arch)
-  case "$arch" in
-    386) return 0 ;;
-    amd64) return 0 ;;
-    arm64) return 0 ;;
-    armv5) return 0 ;;
-    armv6) return 0 ;;
-    armv7) return 0 ;;
-    ppc64) return 0 ;;
-    ppc64le) return 0 ;;
-    mips) return 0 ;;
-    mipsle) return 0 ;;
-    mips64) return 0 ;;
-    mips64le) return 0 ;;
-    s390x) return 0 ;;
-    amd64p32) return 0 ;;
-  esac
-  log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value.  Please file bug report at https://github.com/client9/shlib"
-  return 1
-}
-untar() {
-  tarball=$1
-  case "${tarball}" in
-    *.tar.gz | *.tgz) tar -xzf "${tarball}" ;;
-    *.tar) tar -xf "${tarball}" ;;
-    *.zip) unzip "${tarball}" ;;
-    *)
-      log_err "untar unknown archive format for ${tarball}"
-      return 1
-      ;;
-  esac
-}
-mktmpdir() {
-  test -z "$TMPDIR" && TMPDIR="$(mktemp -d)"
-  mkdir -p "${TMPDIR}"
-  echo "${TMPDIR}"
-}
-http_download_curl() {
-  local_file=$1
-  source_url=$2
-  header=$3
-  if [ -z "$header" ]; then
-    code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url") || (log_debug "curl command failed." && return 1)
-  else
-    code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url") || (log_debug "curl command failed." && return 1)
-  fi
-  if [ "$code" != "200" ]; then
-    log_debug "http_download_curl received HTTP status $code"
-    return 1
-  fi
-  return 0
-}
-http_download_wget() {
-  local_file=$1
-  source_url=$2
-  header=$3
-  if [ -z "$header" ]; then
-    wget -q -O "$local_file" "$source_url" || (log_debug "wget command failed." && return 1)
-  else
-    wget -q --header "$header" -O "$local_file" "$source_url" || (log_debug "wget command failed." && return 1)
-  fi
-}
-http_download() {
-  log_debug "http_download $2"
-  if is_command curl; then
-    http_download_curl "$@"
-    return
-  elif is_command wget; then
-    http_download_wget "$@"
-    return
-  fi
-  log_crit "http_download unable to find wget or curl"
-  return 1
-}
-http_copy() {
-  tmp=$(mktemp)
-  if [ ! -w "$tmp" ];
-  then
-    log_crit "Generated tempory file ${tmp} is not writable!"
-  fi
-  if [ ! -r "$tmp" ];
-  then
-    log_crit "Generated tempory file ${tmp} is not readable!"
-  fi
-
-  http_download "${tmp}" "$1" "$2" || return 1
-  body=$(cat "$tmp")
-  rm -f "${tmp}"
-  echo "$body"
-}
-github_release() {
-  owner_repo=$1
-  version=$2
-  test -z "$version" && version="latest"
-  giturl="https://github.com/${owner_repo}/releases/${version}"
-  json=$(http_copy "$giturl" "Accept:application/json")
-  test -z "$json" && return 1
-  version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
-  test -z "$version" && return 1
-  echo "$version"
-}
-hash_sha256() {
-  TARGET=${1:-/dev/stdin}
-  if is_command gsha256sum; then
-    hash=$(gsha256sum "$TARGET") || return 1
-    echo "$hash" | cut -d ' ' -f 1
-  elif is_command sha256sum; then
-    hash=$(sha256sum "$TARGET") || return 1
-    echo "$hash" | cut -d ' ' -f 1
-  elif is_command shasum; then
-    hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
-    echo "$hash" | cut -d ' ' -f 1
-  elif is_command openssl; then
-    hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
-    echo "$hash" | cut -d ' ' -f a
-  else
-    log_crit "hash_sha256 unable to find command to compute sha-256 hash"
-    return 1
-  fi
-}
-hash_sha256_verify() {
-  TARGET=$1
-  checksums=$2
-  if [ -z "$checksums" ]; then
-    log_err "hash_sha256_verify checksum file not specified in arg2"
-    return 1
-  fi
-  BASENAME=${TARGET##*/}
-  want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
-  if [ -z "$want" ]; then
-    log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
-    return 1
-  fi
-  got=$(hash_sha256 "$TARGET")
-  if [ "$want" != "$got" ]; then
-    log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
-    return 1
-  fi
-}
-cat /dev/null <<EOF
-------------------------------------------------------------------------
-End of functions from https://github.com/client9/shlib
-------------------------------------------------------------------------
-EOF
-
-###############################################
-# Gets the binary filename (without extentsion)
-# used in repo release.
-#
-# Globals:
-#   PROJECT_NAME
-#   VERSION
-#   OS
-#   ARCH
-# Arguments:
-#   None
-################################################
-get_binary_name() {
-  name=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH}
-  case ${PLATFORM} in
-    darwin/arm64)
-      log_info "Platform ${PLATFORM} (m1 silicon) detected, using compatible darwin/amd64 binary instead."
-      name=${PROJECT_NAME}_${VERSION}_${OS}_amd64
-      ;;
-  esac
-  echo "$name"
-}
-
-print_telemetry_disclaimer() {
-  log_info ""
-  log_info "------"
-  log_info "Notice"
-  log_info "------"
-  log_info ""
-  log_info "FOSSA collects warnings, errors, and usage data to improve"
-	log_info "the FOSSA CLI and your experience."  
-  log_info ""
-  log_info "Read more: https://github.com/fossas/fossa-cli/blob/master/docs/telemetry.md"
-  log_info ""
-  log_info "If you want to prevent any telemetry data from being sent to" 
-  log_info "the server, you can opt out of telemetry by setting"
-  log_info "FOSSA_TELEMETRY_SCOPE environment variable to 'off' in your shell."
-  log_info ""
-  log_info "For example:"
-  log_info "   FOSSA_TELEMETRY_SCOPE=off fossa analyze"
-  log_info ""
-  log_info ""
-}
-
-PROJECT_NAME="fossa"
-OWNER=fossas
-REPO="fossa-cli"
-BINARY=fossa
-FORMAT=zip
-OS=$(uname_os)
-ARCH=$(uname_arch)
-PREFIX="$OWNER/$REPO"
-
-# use in logging routines
-log_prefix() {
-	echo "$PREFIX"
-}
-PLATFORM="${OS}/${ARCH}"
-GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
-
-uname_os_check "$OS"
-uname_arch_check "$ARCH"
-
-parse_args "$@"
-
-check_platform
-
-tag_to_version
-
-adjust_format
-
-adjust_os
-
-adjust_arch
-
-
-NAME=$(get_binary_name)
-TARBALL=${NAME}.${FORMAT}
-TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
-log_info "found fossa-cli ${VERSION} binary for ${PLATFORM} at ${TARBALL_URL}"
-
-CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
-CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
-
-print_telemetry_disclaimer
-execute