Skip to content

Commit

Permalink
fix: use workflow_ref for workflow.ref
Browse files Browse the repository at this point in the history
  • Loading branch information
mrjoelkamp committed Sep 19, 2024
1 parent d9b5735 commit 03048f2
Showing 1 changed file with 5 additions and 9 deletions.
14 changes: 5 additions & 9 deletions provenance.jq
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
# see also: https://github.com/actions/buildtypes/tree/main/workflow/v1
def github_actions_provenance($github; $runner; $digest):
if $github.event_name != "workflow_dispatch" then error("error: '\($github.event_name)' is not a supported event type for provenance generation") else
{
($github.workflow_ref | ltrimstr($github.repository + "/") | split("@") | if length == 2 then . else error("parsing 'workflow_ref' failed: '\(.)'") end) as $workflowRefSplit
| {
_type: "https://in-toto.io/Statement/v1",
subject: [
($digest | split(":")) as $splitDigest
Expand All @@ -30,15 +31,10 @@ def github_actions_provenance($github; $runner; $digest):
buildType: "https://actions.github.io/buildtypes/workflow/v1",
externalParameters: {
workflow: {
# TODO this matches how this is documented/suggested in GitHub's buildType documentation, but does not account for the workflow file being in a separate repository at a separate ref from the "source" (which the "workflow_ref" field *does* account for), so that would/will change how we need to calculate these values if we ever do that (something like "^(?<repo>[^/]+/[^/]+)/(?<path>.*)@(?<ref>refs/.*)$" on $github.workflow_ref ?)
ref: $github.ref,
# this deviates from how this is documented/suggested in GitHub's buildType documentation to account for the workflow file being in a separate repository at a separate ref from the "source" (which the "github.ref" field *doesn't* account for)
ref: $workflowRefSplit[1],
repository: ($github.server_url + "/" + $github.repository),
path: (
$github.workflow_ref
| ltrimstr($github.repository + "/")
| rtrimstr("@" + $github.ref)
| if contains("@") then error("parsing 'workflow_ref' failed: '\(.)'") else . end
),
path: $workflowRefSplit[0],
# not required, but useful/important (and potentially but unlikely different from $github.sha used in resolvedDependencies below):
digest: { gitCommit: $github.workflow_sha },
},
Expand Down

0 comments on commit 03048f2

Please sign in to comment.