Open
Description
Summary
This action is not respecting the GitHub API URL provided from the context / environment.
Details
Running this action on a self-hosted GitHub Enterprise Server (GHES) instance with a pull_request trigger fails with the following log entry:
quickview
✓ Provenance obtained from attestation
✓ SBOM obtained from attestation, 265 packages indexed
! Policy evaluation skipped: %w no organization configured, use --org or run 'docker scout config' to view policy results
Error: GET https://api.github.com/repos/<org_name>/<repo_name>/issues/56/comments?direction=desc&per_page=10&sort=updated: 401 Bad credentials []
The issue is that it tries to access api.github.com with the job credentials for our private GHES instance.
Proposed Solutions
Solution 1
This action should not not hardcode the API URL, but use the GitHub context variable ${{ github.api_url }} or its respective mapped environment variable $GITHUB_API_URL. See the GitHub Actions documentaion for further details.
Solution 2
Add an input to configure the API URL and default it to ${{ github.api_url }} as suggested in #15