scorecard: 2.2.8 -> 3.0.1

pkgs/tools/security/scorecard/default.nix

@@ -1,16 +1,33 @@
-{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+{ lib, buildGoModule, fetchFromGitHub, fetchgit, installShellFiles }:
 
 buildGoModule rec {
   pname = "scorecard";
-  version = "2.2.8";
+  version = "3.0.1";
 
   src = fetchFromGitHub {
     owner = "ossf";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-U29NCZFXOhu0xLfDlJ1Q7m8TbAm+C6+ecYFhcI5gg6s=";
+    sha256 = "sha256-19XDAgv9ARCZ7eNlWUPcsbGNyKA9vYFry8m6D3+vQP8=";
+    # populate values otherwise taken care of by goreleaser,
+    # unfortunately these require us to use git. By doing
+    # this in postFetch we can delete .git afterwards and
+    # maintain better reproducibility of the src.
+    leaveDotGit = true;
+    postFetch = ''
+      cd "$out"
+
+      commit="$(git rev-parse HEAD)"
+      source_date_epoch=$(git log --date=iso8601-strict -1 --pretty=%ct)
+
+      substituteInPlace "$out/pkg/scorecard_version.go" \
+        --replace 'gitCommit = "unknown"' "gitCommit = \"$commit\"" \
+        --replace 'buildDate = "unknown"' "buildDate = \"$source_date_epoch\""
+
+      find "$out" -name .git -print0 | xargs -0 rm -rf
+    '';
   };
-  vendorSha256 = "sha256-hOATCXjBE0doHnY2BaRKZocQ6SIigL0q4m9eEJGKh6Q=";
+  vendorSha256 = "sha256-ucF26pTEvG8tkzsyC9WNbvl8QCeetKBvBIcQL2NTfjo=";
 
   # Install completions post-install
   nativeBuildInputs = [ installShellFiles ];
@@ -20,8 +37,8 @@ buildGoModule rec {
   ldflags = [
     "-s"
     "-w"
-    "-X github.com/ossf/scorecard/v2/pkg.gitVersion=v${version}"
-    "-X github.com/ossf/scorecard/v2/pkg.gitTreeState=clean"
+    "-X github.com/ossf/scorecard/v${lib.versions.major version}/pkg.gitVersion=v${version}"
+    "-X github.com/ossf/scorecard/v${lib.versions.major version}/pkg.gitTreeState=clean"
   ];
 
   preCheck = ''