Add validation for commit-based APIs (#1635)

Co-authored-by: Azeem Shaikh <azeems@google.com>

checks/binary_artifact_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/golang/mock/gomock"
 
 	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/localdir"
 	"github.com/ossf/scorecard/v4/log"
 	scut "github.com/ossf/scorecard/v4/utests"
@@ -72,7 +73,7 @@ func TestBinaryArtifacts(t *testing.T) {
 			ctx := context.Background()
 
 			client := localdir.CreateLocalDirClient(ctx, logger)
-			if err := client.InitRepo(repo, "HEAD"); err != nil {
+			if err := client.InitRepo(repo, clients.HeadSHA); err != nil {
 				t.Errorf("InitRepo: %v", err)
 			}
 

checks/license_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/golang/mock/gomock"
 
 	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/localdir"
 	"github.com/ossf/scorecard/v4/log"
 	scut "github.com/ossf/scorecard/v4/utests"
@@ -154,7 +155,7 @@ func TestLicenseFileSubdirectory(t *testing.T) {
 			ctx := context.Background()
 
 			client := localdir.CreateLocalDirClient(ctx, logger)
-			if err := client.InitRepo(repo, "HEAD"); err != nil {
+			if err := client.InitRepo(repo, clients.HeadSHA); err != nil {
 				t.Errorf("InitRepo: %v", err)
 			}
 

checks/raw/security_policy.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks/fileparser"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/log"
@@ -80,7 +81,7 @@ func SecurityPolicy(c *checker.CheckRequest) (checker.SecurityPolicyData, error)
 		Repo:       c.Repo.Org(),
 	}
 
-	err = dotGitHub.RepoClient.InitRepo(dotGitHub.Repo, "HEAD")
+	err = dotGitHub.RepoClient.InitRepo(dotGitHub.Repo, clients.HeadSHA)
 	switch {
 	case err == nil:
 		defer dotGitHub.RepoClient.Close()

checks/sast.go

@@ -31,7 +31,6 @@ var allowedConclusions = map[string]bool{"success": true, "neutral": true}
 
 //nolint:gochecknoinits
 func init() {
-	// TODO(#575): Check if we can support commit-based requests here.
 	if err := registerCheck(CheckSAST, SAST, nil); err != nil {
 		// This should never happen.
 		panic(err)

clients/githubrepo/branches.go

@@ -17,6 +17,7 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/google/go-github/v38/github"
@@ -113,31 +114,34 @@ type branchesHandler struct {
 	once             *sync.Once
 	ctx              context.Context
 	errSetup         error
-	owner            string
-	repo             string
+	repourl          *repoURL
 	defaultBranchRef *clients.BranchRef
 	branches         []*clients.BranchRef
 }
 
-func (handler *branchesHandler) init(ctx context.Context, owner, repo string) {
+func (handler *branchesHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
+	handler.repourl = repourl
 	handler.errSetup = nil
 	handler.once = new(sync.Once)
 }
 
 func (handler *branchesHandler) setup() error {
 	handler.once.Do(func() {
+		if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+			handler.errSetup = fmt.Errorf("%w: branches only supported for HEAD queries", clients.ErrUnsupportedFeature)
+			return
+		}
 		vars := map[string]interface{}{
-			"owner":         githubv4.String(handler.owner),
-			"name":          githubv4.String(handler.repo),
+			"owner":         githubv4.String(handler.repourl.owner),
+			"name":          githubv4.String(handler.repourl.repo),
 			"refsToAnalyze": githubv4.Int(refsToAnalyze),
 			"refPrefix":     githubv4.String(refPrefix),
 		}
 		handler.data = new(branchesData)
 		if err := handler.graphClient.Query(handler.ctx, handler.data, vars); err != nil {
 			handler.errSetup = sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("githubv4.Query: %v", err))
+			return
 		}
 		handler.defaultBranchRef = getBranchRefFrom(handler.data.Repository.DefaultBranchRef)
 		handler.branches = getBranchRefsFrom(handler.data.Repository.Refs.Nodes, handler.defaultBranchRef)

clients/githubrepo/checkruns.go

@@ -17,6 +17,7 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/google/go-github/v38/github"
 
@@ -25,21 +26,22 @@ import (
 )
 
 type checkrunsHandler struct {
-	client *github.Client
-	ctx    context.Context
-	owner  string
-	repo   string
+	client  *github.Client
+	ctx     context.Context
+	repourl *repoURL
 }
 
-func (handler *checkrunsHandler) init(ctx context.Context, owner, repo string) {
+func (handler *checkrunsHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
+	handler.repourl = repourl
 }
 
 func (handler *checkrunsHandler) listCheckRunsForRef(ref string) ([]clients.CheckRun, error) {
-	checkRuns, _, err := handler.client.Checks.ListCheckRunsForRef(handler.ctx, handler.owner, handler.repo, ref,
-		&github.ListCheckRunsOptions{})
+	if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+		return nil, fmt.Errorf("%w: ListCheckRuns only supported for HEAD queries", clients.ErrUnsupportedFeature)
+	}
+	checkRuns, _, err := handler.client.Checks.ListCheckRunsForRef(
+		handler.ctx, handler.repourl.owner, handler.repourl.repo, ref, &github.ListCheckRunsOptions{})
 	if err != nil {
 		return nil, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("ListCheckRunsForRef: %v", err))
 	}

clients/githubrepo/client.go

@@ -34,8 +34,7 @@ var errInputRepoType = errors.New("input repo should be of type repoURL")
 
 // Client is GitHub-specific implementation of RepoClient.
 type Client struct {
-	owner        string
-	repoName     string
+	repourl      *repoURL
 	repo         *github.Repository
 	repoClient   *github.Client
 	graphClient  *graphqlHandler
@@ -62,9 +61,14 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string) error {
 	if err != nil {
 		return sce.WithMessage(sce.ErrRepoUnreachable, err.Error())
 	}
+
 	client.repo = repo
-	client.owner = repo.Owner.GetLogin()
-	client.repoName = repo.GetName()
+	client.repourl = &repoURL{
+		owner:         repo.Owner.GetLogin(),
+		repo:          repo.GetName(),
+		defaultBranch: repo.GetDefaultBranch(),
+		commitSHA:     commitSHA,
+	}
 
 	// Init tarballHandler.
 	if err := client.tarball.init(client.ctx, client.repo, commitSHA); err != nil {
@@ -72,36 +76,35 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string) error {
 	}
 
 	// Setup GraphQL.
-	client.graphClient.init(client.ctx, client.owner, client.repoName,
-		client.repo.GetDefaultBranch(), commitSHA)
+	client.graphClient.init(client.ctx, client.repourl)
 
 	// Setup contributorsHandler.
-	client.contributors.init(client.ctx, client.owner, client.repoName)
+	client.contributors.init(client.ctx, client.repourl)
 
 	// Setup branchesHandler.
-	client.branches.init(client.ctx, client.owner, client.repoName)
+	client.branches.init(client.ctx, client.repourl)
 
 	// Setup releasesHandler.
-	client.releases.init(client.ctx, client.owner, client.repoName)
+	client.releases.init(client.ctx, client.repourl)
 
 	// Setup workflowsHandler.
-	client.workflows.init(client.ctx, client.owner, client.repoName)
+	client.workflows.init(client.ctx, client.repourl)
 
 	// Setup checkrunsHandler.
-	client.checkruns.init(client.ctx, client.owner, client.repoName)
+	client.checkruns.init(client.ctx, client.repourl)
 
 	// Setup statusesHandler.
-	client.statuses.init(client.ctx, client.owner, client.repoName)
+	client.statuses.init(client.ctx, client.repourl)
 
 	// Setup searchHandler.
-	client.search.init(client.ctx, client.owner, client.repoName)
+	client.search.init(client.ctx, client.repourl)
 
 	return nil
 }
 
 // URI implements RepoClient.URI.
 func (client *Client) URI() string {
-	return fmt.Sprintf("github.com/%s/%s", client.owner, client.repoName)
+	return fmt.Sprintf("github.com/%s/%s", client.repourl.owner, client.repourl.repo)
 }
 
 // ListFiles implements RepoClient.ListFiles.
@@ -224,7 +227,7 @@ func CreateOssFuzzRepoClient(ctx context.Context, logger *log.Logger) (clients.R
 	}
 
 	ossFuzzRepoClient := CreateGithubRepoClient(ctx, logger)
-	if err := ossFuzzRepoClient.InitRepo(ossFuzzRepo, "HEAD"); err != nil {
+	if err := ossFuzzRepoClient.InitRepo(ossFuzzRepo, clients.HeadSHA); err != nil {
 		return nil, fmt.Errorf("error during InitRepo: %w", err)
 	}
 	return ossFuzzRepoClient, nil

clients/githubrepo/contributors.go

@@ -17,6 +17,7 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/google/go-github/v38/github"
@@ -29,25 +30,28 @@ type contributorsHandler struct {
 	once         *sync.Once
 	ctx          context.Context
 	errSetup     error
-	owner        string
-	repo         string
+	repourl      *repoURL
 	contributors []clients.Contributor
 }
 
-func (handler *contributorsHandler) init(ctx context.Context, owner, repo string) {
+func (handler *contributorsHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
+	handler.repourl = repourl
 	handler.errSetup = nil
 	handler.once = new(sync.Once)
 }
 
 func (handler *contributorsHandler) setup() error {
 	handler.once.Do(func() {
+		if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+			handler.errSetup = fmt.Errorf("%w: ListContributors only supported for HEAD queries", clients.ErrUnsupportedFeature)
+			return
+		}
 		contribs, _, err := handler.ghClient.Repositories.ListContributors(
-			handler.ctx, handler.owner, handler.repo, &github.ListContributorsOptions{})
+			handler.ctx, handler.repourl.owner, handler.repourl.repo, &github.ListContributorsOptions{})
 		if err != nil {
 			handler.errSetup = fmt.Errorf("error during ListContributors: %w", err)
+			return
 		}
 
 		for _, contrib := range contribs {

clients/githubrepo/graphql.go

@@ -114,26 +114,20 @@ type graphqlData struct {
 }
 
 type graphqlHandler struct {
-	client        *githubv4.Client
-	data          *graphqlData
-	once          *sync.Once
-	ctx           context.Context
-	errSetup      error
-	owner         string
-	repo          string
-	defaultBranch string
-	commitSHA     string
-	commits       []clients.Commit
-	issues        []clients.Issue
-	archived      bool
+	client   *githubv4.Client
+	data     *graphqlData
+	once     *sync.Once
+	ctx      context.Context
+	errSetup error
+	repourl  *repoURL
+	commits  []clients.Commit
+	issues   []clients.Issue
+	archived bool
 }
 
-func (handler *graphqlHandler) init(ctx context.Context, owner, repo, defaultBranch, commitSHA string) {
+func (handler *graphqlHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
-	handler.defaultBranch = defaultBranch
-	handler.commitSHA = commitSHA
+	handler.repourl = repourl
 	handler.data = new(graphqlData)
 	handler.errSetup = nil
 	handler.once = new(sync.Once)
@@ -141,15 +135,15 @@ func (handler *graphqlHandler) init(ctx context.Context, owner, repo, defaultBra
 
 func (handler *graphqlHandler) setup() error {
 	handler.once.Do(func() {
-		commitExpression := handler.commitSHA
-		if strings.EqualFold(handler.commitSHA, "HEAD") {
+		commitExpression := handler.repourl.commitSHA
+		if strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
 			// TODO(#575): Confirm that this works as expected.
-			commitExpression = fmt.Sprintf("heads/%s", handler.defaultBranch)
+			commitExpression = fmt.Sprintf("heads/%s", handler.repourl.defaultBranch)
 		}
 
 		vars := map[string]interface{}{
-			"owner":                  githubv4.String(handler.owner),
-			"name":                   githubv4.String(handler.repo),
+			"owner":                  githubv4.String(handler.repourl.owner),
+			"name":                   githubv4.String(handler.repourl.repo),
 			"pullRequestsToAnalyze":  githubv4.Int(pullRequestsToAnalyze),
 			"issuesToAnalyze":        githubv4.Int(issuesToAnalyze),
 			"issueCommentsToAnalyze": githubv4.Int(issueCommentsToAnalyze),
@@ -163,7 +157,7 @@ func (handler *graphqlHandler) setup() error {
 			return
 		}
 		handler.archived = bool(handler.data.Repository.IsArchived)
-		handler.commits, handler.errSetup = commitsFrom(handler.data, handler.owner, handler.repo)
+		handler.commits, handler.errSetup = commitsFrom(handler.data, handler.repourl.owner, handler.repourl.repo)
 		if handler.errSetup != nil {
 			return
 		}
@@ -180,6 +174,9 @@ func (handler *graphqlHandler) getCommits() ([]clients.Commit, error) {
 }
 
 func (handler *graphqlHandler) getIssues() ([]clients.Issue, error) {
+	if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+		return nil, fmt.Errorf("%w: ListIssues only supported for HEAD queries", clients.ErrUnsupportedFeature)
+	}
 	if err := handler.setup(); err != nil {
 		return nil, fmt.Errorf("error during graphqlHandler.setup: %w", err)
 	}
@@ -187,6 +184,9 @@ func (handler *graphqlHandler) getIssues() ([]clients.Issue, error) {
 }
 
 func (handler *graphqlHandler) isArchived() (bool, error) {
+	if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+		return false, fmt.Errorf("%w: IsArchived only supported for HEAD queries", clients.ErrUnsupportedFeature)
+	}
 	if err := handler.setup(); err != nil {
 		return false, fmt.Errorf("error during graphqlHandler.setup: %w", err)
 	}

clients/githubrepo/releases.go

@@ -17,6 +17,7 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/google/go-github/v38/github"
@@ -30,23 +31,25 @@ type releasesHandler struct {
 	once     *sync.Once
 	ctx      context.Context
 	errSetup error
-	owner    string
-	repo     string
+	repourl  *repoURL
 	releases []clients.Release
 }
 
-func (handler *releasesHandler) init(ctx context.Context, owner, repo string) {
+func (handler *releasesHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
+	handler.repourl = repourl
 	handler.errSetup = nil
 	handler.once = new(sync.Once)
 }
 
 func (handler *releasesHandler) setup() error {
 	handler.once.Do(func() {
+		if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+			handler.errSetup = fmt.Errorf("%w: ListReleases only supported for HEAD queries", clients.ErrUnsupportedFeature)
+			return
+		}
 		releases, _, err := handler.client.Repositories.ListReleases(
-			handler.ctx, handler.owner, handler.repo, &github.ListOptions{})
+			handler.ctx, handler.repourl.owner, handler.repourl.repo, &github.ListOptions{})
 		if err != nil {
 			handler.errSetup = sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("githubv4.Query: %v", err))
 		}

clients/githubrepo/repo.go

@@ -28,8 +28,8 @@ const (
 )
 
 type repoURL struct {
-	host, owner, repo string
-	metadata          []string
+	host, owner, repo, defaultBranch, commitSHA string
+	metadata                                    []string
 }
 
 // Parses input string into repoURL struct.

clients/githubrepo/search.go

@@ -30,17 +30,19 @@ var errEmptyQuery = errors.New("search query is empty")
 type searchHandler struct {
 	ghClient *github.Client
 	ctx      context.Context
-	owner    string
-	repo     string
+	repourl  *repoURL
 }
 
-func (handler *searchHandler) init(ctx context.Context, owner, repo string) {
+func (handler *searchHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
+	handler.repourl = repourl
 }
 
 func (handler *searchHandler) search(request clients.SearchRequest) (clients.SearchResponse, error) {
+	if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+		return clients.SearchResponse{}, fmt.Errorf(
+			"%w: Search only supported for HEAD queries", clients.ErrUnsupportedFeature)
+	}
 	query, err := handler.buildQuery(request)
 	if err != nil {
 		return clients.SearchResponse{}, fmt.Errorf("handler.buildQuery: %w", err)
@@ -63,7 +65,9 @@ func (handler *searchHandler) buildQuery(request clients.SearchRequest) (string,
 		// that should be replaced with a space.
 		// See https://docs.github.com/en/search-github/searching-on-github/searching-code#considerations-for-code-search
 		// for reference.
-		fmt.Sprintf("%s repo:%s/%s", strings.ReplaceAll(request.Query, "/", " "), handler.owner, handler.repo)); err != nil {
+		fmt.Sprintf("%s repo:%s/%s",
+			strings.ReplaceAll(request.Query, "/", " "),
+			handler.repourl.owner, handler.repourl.repo)); err != nil {
 		return "", fmt.Errorf("WriteString: %w", err)
 	}
 	if request.Filename != "" {

clients/githubrepo/search_test.go

@@ -27,32 +27,37 @@ func TestBuildQuery(t *testing.T) {
 		searchReq       clients.SearchRequest
 		expectedErrType error
 		name            string
-		owner           string
-		repo            string
+		repourl         *repoURL
 		expectedQuery   string
 		hasError        bool
 	}{
 		{
-			name:  "Basic",
-			owner: "testowner",
-			repo:  "testrepo",
+			name: "Basic",
+			repourl: &repoURL{
+				owner: "testowner",
+				repo:  "testrepo",
+			},
 			searchReq: clients.SearchRequest{
 				Query: "testquery",
 			},
 			expectedQuery: "testquery repo:testowner/testrepo",
 		},
 		{
-			name:            "EmptyQuery",
-			owner:           "testowner",
-			repo:            "testrepo",
+			name: "EmptyQuery",
+			repourl: &repoURL{
+				owner: "testowner",
+				repo:  "testrepo",
+			},
 			searchReq:       clients.SearchRequest{},
 			hasError:        true,
 			expectedErrType: errEmptyQuery,
 		},
 		{
-			name:  "WithFilename",
-			owner: "testowner",
-			repo:  "testrepo",
+			name: "WithFilename",
+			repourl: &repoURL{
+				owner: "testowner",
+				repo:  "testrepo",
+			},
 			searchReq: clients.SearchRequest{
 				Query:    "testquery",
 				Filename: "filename1.txt",
@@ -60,9 +65,11 @@ func TestBuildQuery(t *testing.T) {
 			expectedQuery: "testquery repo:testowner/testrepo in:file filename:filename1.txt",
 		},
 		{
-			name:  "WithPath",
-			owner: "testowner",
-			repo:  "testrepo",
+			name: "WithPath",
+			repourl: &repoURL{
+				owner: "testowner",
+				repo:  "testrepo",
+			},
 			searchReq: clients.SearchRequest{
 				Query: "testquery",
 				Path:  "dir1/file1.txt",
@@ -70,9 +77,11 @@ func TestBuildQuery(t *testing.T) {
 			expectedQuery: "testquery repo:testowner/testrepo path:dir1/file1.txt",
 		},
 		{
-			name:  "WithFilenameAndPath",
-			owner: "testowner",
-			repo:  "testrepo",
+			name: "WithFilenameAndPath",
+			repourl: &repoURL{
+				owner: "testowner",
+				repo:  "testrepo",
+			},
 			searchReq: clients.SearchRequest{
 				Query:    "testquery",
 				Filename: "filename1.txt",
@@ -81,9 +90,11 @@ func TestBuildQuery(t *testing.T) {
 			expectedQuery: "testquery repo:testowner/testrepo in:file filename:filename1.txt path:dir1/dir2",
 		},
 		{
-			name:  "WithFilenameAndPathWithSeparator",
-			owner: "testowner",
-			repo:  "testrepo",
+			name: "WithFilenameAndPathWithSeparator",
+			repourl: &repoURL{
+				owner: "testowner",
+				repo:  "testrepo",
+			},
 			searchReq: clients.SearchRequest{
 				Query:    "testquery/query",
 				Filename: "filename1.txt",
@@ -99,8 +110,7 @@ func TestBuildQuery(t *testing.T) {
 			t.Parallel()
 
 			handler := searchHandler{
-				owner: testcase.owner,
-				repo:  testcase.repo,
+				repourl: testcase.repourl,
 			}
 
 			query, err := handler.buildQuery(testcase.searchReq)

clients/githubrepo/statuses.go

@@ -17,6 +17,7 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/google/go-github/v38/github"
 
@@ -25,21 +26,22 @@ import (
 )
 
 type statusesHandler struct {
-	client *github.Client
-	ctx    context.Context
-	owner  string
-	repo   string
+	client  *github.Client
+	ctx     context.Context
+	repourl *repoURL
 }
 
-func (handler *statusesHandler) init(ctx context.Context, owner, repo string) {
+func (handler *statusesHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
+	handler.repourl = repourl
 }
 
 func (handler *statusesHandler) listStatuses(ref string) ([]clients.Status, error) {
-	statuses, _, err := handler.client.Repositories.ListStatuses(handler.ctx, handler.owner, handler.repo, ref,
-		&github.ListOptions{})
+	if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+		return nil, fmt.Errorf("%w: ListStatuses only supported for HEAD queries", clients.ErrUnsupportedFeature)
+	}
+	statuses, _, err := handler.client.Repositories.ListStatuses(
+		handler.ctx, handler.repourl.owner, handler.repourl.repo, ref, &github.ListOptions{})
 	if err != nil {
 		return nil, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("ListStatuses: %v", err))
 	}

clients/githubrepo/tarball.go

@@ -29,6 +29,7 @@ import (
 
 	"github.com/google/go-github/v38/github"
 
+	"github.com/ossf/scorecard/v4/clients"
 	sce "github.com/ossf/scorecard/v4/errors"
 )
 
@@ -96,7 +97,7 @@ func (handler *tarballHandler) init(ctx context.Context, repo *github.Repository
 func (handler *tarballHandler) getTarball(ctx context.Context, repo *github.Repository, commitSHA string) error {
 	url := repo.GetArchiveURL()
 	url = strings.Replace(url, "{archive_format}", "tarball/", 1)
-	if strings.EqualFold(commitSHA, "HEAD") {
+	if strings.EqualFold(commitSHA, clients.HeadSHA) {
 		url = strings.Replace(url, "{/ref}", "", 1)
 	} else {
 		url = strings.Replace(url, "{/ref}", commitSHA, 1)

clients/githubrepo/workflows.go

@@ -17,6 +17,7 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/google/go-github/v38/github"
 
@@ -25,21 +26,23 @@ import (
 )
 
 type workflowsHandler struct {
-	client *github.Client
-	ctx    context.Context
-	owner  string
-	repo   string
+	client  *github.Client
+	ctx     context.Context
+	repourl *repoURL
 }
 
-func (handler *workflowsHandler) init(ctx context.Context, owner, repo string) {
+func (handler *workflowsHandler) init(ctx context.Context, repourl *repoURL) {
 	handler.ctx = ctx
-	handler.owner = owner
-	handler.repo = repo
+	handler.repourl = repourl
 }
 
 func (handler *workflowsHandler) listSuccessfulWorkflowRuns(filename string) ([]clients.WorkflowRun, error) {
+	if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
+		return nil, fmt.Errorf(
+			"%w: ListWorkflowRunsByFileName only supported for HEAD queries", clients.ErrUnsupportedFeature)
+	}
 	workflowRuns, _, err := handler.client.Actions.ListWorkflowRunsByFileName(
-		handler.ctx, handler.owner, handler.repo, filename, &github.ListWorkflowRunsOptions{
+		handler.ctx, handler.repourl.owner, handler.repourl.repo, filename, &github.ListWorkflowRunsOptions{
 			Status: "success",
 		})
 	if err != nil {

clients/localdir/client_test.go

@@ -24,6 +24,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/log"
 )
 
@@ -75,7 +76,7 @@ func TestClient_CreationAndCaching(t *testing.T) {
 			}
 
 			client := CreateLocalDirClient(ctx, logger)
-			if err := client.InitRepo(repo, "HEAD"); err != nil {
+			if err := client.InitRepo(repo, clients.HeadSHA); err != nil {
 				t.Errorf("InitRepo: %v", err)
 			}
 

clients/repo_client.go

@@ -20,6 +20,9 @@ import "errors"
 // ErrUnsupportedFeature indicates an API that is not supported by the client.
 var ErrUnsupportedFeature = errors.New("unsupported feature")
 
+// HeadSHA is default commitSHA value used to denote git HEAD.
+const HeadSHA = "HEAD"
+
 // RepoClient interface is used by Scorecard checks to access a repo.
 type RepoClient interface {
 	InitRepo(repo Repo, commitSHA string) error

cmd/root.go

@@ -63,7 +63,7 @@ var rootCmd = &cobra.Command{
 func init() {
 	rootCmd.Flags().StringVar(&flagRepo, "repo", "", "repository to check")
 	rootCmd.Flags().StringVar(&flagLocal, "local", "", "local folder to check")
-	rootCmd.Flags().StringVar(&flagCommit, "commit", "HEAD", "commit to analyze")
+	rootCmd.Flags().StringVar(&flagCommit, "commit", clients.HeadSHA, "commit to analyze")
 	rootCmd.Flags().StringVar(
 		&flagLogLevel,
 		"verbosity",
@@ -148,7 +148,7 @@ func scorecardCmd(cmd *cobra.Command, args []string) {
 	if flagLocal != "" {
 		requiredRequestTypes = append(requiredRequestTypes, checker.FileBased)
 	}
-	if !strings.EqualFold(flagCommit, "HEAD") {
+	if !strings.EqualFold(flagCommit, clients.HeadSHA) {
 		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
 	}
 	enabledChecks, err := getEnabledChecks(policy, flagChecksToRun, requiredRequestTypes)
@@ -225,7 +225,7 @@ func validateCmdFlags() {
 		if flagFormat == formatRaw {
 			log.Panic("raw option not supported yet")
 		}
-		if flagCommit != "HEAD" {
+		if flagCommit != clients.HeadSHA {
 			log.Panic("--commit option not supported yet")
 		}
 	}

cmd/serve.go

@@ -70,7 +70,8 @@ var serveCmd = &cobra.Command{
 			}
 			defer ossFuzzRepoClient.Close()
 			ciiClient := clients.DefaultCIIBestPracticesClient()
-			repoResult, err := pkg.RunScorecards(ctx, repo, "HEAD" /*commitSHA*/, false /*raw*/, checks.AllChecks, repoClient,
+			repoResult, err := pkg.RunScorecards(
+				ctx, repo, clients.HeadSHA /*commitSHA*/, false /*raw*/, checks.AllChecks, repoClient,
 				ossFuzzRepoClient, ciiClient, vulnsClient)
 			if err != nil {
 				logger.Error(err, "running enabled scorecard checks on repo")

cron/worker/main.go

@@ -85,7 +85,7 @@ func processRequest(ctx context.Context,
 			continue
 		}
 		repo.AppendMetadata(repo.Metadata()...)
-		result, err := pkg.RunScorecards(ctx, repo, "HEAD" /*commitSHA*/, false /*raw*/, checksToRun,
+		result, err := pkg.RunScorecards(ctx, repo, clients.HeadSHA /*commitSHA*/, false /*raw*/, checksToRun,
 			repoClient, ossFuzzRepoClient, ciiClient, vulnsClient)
 		if errors.Is(err, sce.ErrRepoUnreachable) {
 			// Not accessible repo - continue.

e2e/binary_artifacts_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -35,7 +36,7 @@ var _ = Describe("E2E TEST:"+checks.CheckBinaryArtifacts, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf/scorecard")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{
@@ -61,7 +62,7 @@ var _ = Describe("E2E TEST:"+checks.CheckBinaryArtifacts, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-binary-artifacts-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{
@@ -123,7 +124,7 @@ var _ = Describe("E2E TEST:"+checks.CheckBinaryArtifacts, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-binary-artifacts-e2e-4-binaries")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{

e2e/branch_protection_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckBranchProtection, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-branch-protection-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),
@@ -63,7 +64,7 @@ var _ = Describe("E2E TEST:"+checks.CheckBranchProtection, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-branch-protection-e2e-none")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),
@@ -93,7 +94,7 @@ var _ = Describe("E2E TEST:"+checks.CheckBranchProtection, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-branch-protection-e2e-patch-1")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/ci_tests_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckCITests, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/airflow")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/code_review_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -35,7 +36,7 @@ var _ = Describe("E2E TEST:CodeReview", func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/airflow")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{

e2e/contributors_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckContributors, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf/scorecard")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/dangerous_workflow_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -32,7 +33,7 @@ var _ = Describe("E2E TEST:"+checks.CheckTokenPermissions, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-dangerous-workflow-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/dependency_update_tool_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -35,7 +36,7 @@ var _ = Describe("E2E TEST:"+checks.CheckDependencyUpdateTool, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf/scorecard")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{
@@ -66,7 +67,7 @@ var _ = Describe("E2E TEST:"+checks.CheckDependencyUpdateTool, func() {
 			repo, err := githubrepo.MakeGithubRepo("netlify/netlify-cms")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{

e2e/fuzzing_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			repo, err := githubrepo.MakeGithubRepo("tensorflow/tensorflow")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
 			Expect(err).Should(BeNil())
@@ -61,7 +62,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-fuzzing-cflite")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
 			Expect(err).Should(BeNil())
@@ -89,7 +90,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-packaging-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
 			Expect(err).Should(BeNil())

e2e/license_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -32,7 +33,7 @@ var _ = Describe("E2E TEST:"+checks.CheckLicense, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-license-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/maintained_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckMaintained, func() {
 			repo, err := githubrepo.MakeGithubRepo("apache/airflow")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/packaging_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckPackaging, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-packaging-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/permissions_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -32,7 +33,7 @@ var _ = Describe("E2E TEST:"+checks.CheckTokenPermissions, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-token-permissions-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/pinned_dependencies_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -34,7 +35,7 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-pinned-dependencies-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{

e2e/sast_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckSAST, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/airflow")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/security_policy_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -32,7 +33,7 @@ var _ = Describe("E2E TEST:SecurityPolicy", func() {
 			repo, err := githubrepo.MakeGithubRepo("tensorflow/tensorflow")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{
@@ -62,7 +63,7 @@ var _ = Describe("E2E TEST:SecurityPolicy", func() {
 			repo, err := githubrepo.MakeGithubRepo("randombit/botan")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			req := checker.CheckRequest{

e2e/signedreleases_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -33,7 +34,7 @@ var _ = Describe("E2E TEST:"+checks.CheckSignedReleases, func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-signed-releases-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:        context.Background(),

e2e/vulnerabilities_test.go

@@ -33,7 +33,7 @@ var _ = Describe("E2E TEST:Vulnerabilities", func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf/scorecard")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			dl := scut.TestDetailLogger{}
@@ -66,7 +66,7 @@ var _ = Describe("E2E TEST:Vulnerabilities", func() {
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-vulnerabilities-open62541")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
-			err = repoClient.InitRepo(repo, "HEAD")
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
 			Expect(err).Should(BeNil())
 
 			dl := scut.TestDetailLogger{}