From 03048f2b5937c5b8074ca1f0ffda871209dd9c1f Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 18 Sep 2024 22:08:15 -0500
Subject: [PATCH] fix: use workflow_ref for workflow.ref

---
 provenance.jq | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/provenance.jq b/provenance.jq
index 6699f88..187a0a5 100644
--- a/provenance.jq
+++ b/provenance.jq
@@ -7,7 +7,8 @@
 #   see also: https://github.com/actions/buildtypes/tree/main/workflow/v1
 def github_actions_provenance($github; $runner; $digest):
 	if $github.event_name != "workflow_dispatch" then error("error: '\($github.event_name)' is not a supported event type for provenance generation") else
-		{
+	($github.workflow_ref | ltrimstr($github.repository + "/") | split("@") | if length == 2 then . else error("parsing 'workflow_ref' failed: '\(.)'") end) as $workflowRefSplit
+		| {
 			_type: "https://in-toto.io/Statement/v1",
 			subject: [
 				($digest | split(":")) as $splitDigest
@@ -30,15 +31,10 @@ def github_actions_provenance($github; $runner; $digest):
 					buildType: "https://actions.github.io/buildtypes/workflow/v1",
 					externalParameters: {
 						workflow: {
-							# TODO this matches how this is documented/suggested in GitHub's buildType documentation, but does not account for the workflow file being in a separate repository at a separate ref from the "source" (which the "workflow_ref" field *does* account for), so that would/will change how we need to calculate these values if we ever do that (something like "^(?<repo>[^/]+/[^/]+)/(?<path>.*)@(?<ref>refs/.*)$" on $github.workflow_ref ?)
-							ref: $github.ref,
+							# this deviates from how this is documented/suggested in GitHub's buildType documentation to account for the workflow file being in a separate repository at a separate ref from the "source" (which the "github.ref" field *doesn't* account for)
+							ref: $workflowRefSplit[1],
 							repository: ($github.server_url + "/" + $github.repository),
-							path: (
-								$github.workflow_ref
-								| ltrimstr($github.repository + "/")
-								| rtrimstr("@" + $github.ref)
-								| if contains("@") then error("parsing 'workflow_ref' failed: '\(.)'") else . end
-							),
+							path: $workflowRefSplit[0],
 							# not required, but useful/important (and potentially but unlikely different from $github.sha used in resolvedDependencies below):
 							digest: { gitCommit: $github.workflow_sha },
 						},