From 74fd21594623cc57dda2d13a76eb9e9a4b8e0e8f Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 8 Mar 2024 16:54:56 +0000 Subject: [PATCH 01/12] use upload-artifact and download-artifact v4 Signed-off-by: Ramon Petgrave --- .../actions/secure-download-artifact/action.yml | 2 +- .../actions/secure-download-folder/action.yml | 2 +- .../actions/secure-upload-artifact/action.yml | 2 +- .../workflows/builder_container-based_slsa3.yml | 12 ++++++------ .github/workflows/builder_go_slsa3.yml | 4 ++-- .github/workflows/generator_generic_slsa3.yml | 2 +- .github/workflows/pre-submit.actions.yml | 2 +- .../pre-submit.e2e.container-based.default.yml | 4 ++-- .../workflows/pre-submit.e2e.generic.default.yml | 6 +++--- ...pre-submit.e2e.go.config-ldflags-main-dir.yml | 4 ++-- .github/workflows/scorecards.yml | 2 +- CHANGELOG.md | 5 +++++ SPECIFICATIONS.md | 4 ++-- internal/builders/generic/README.md | 16 ++++++---------- 14 files changed, 34 insertions(+), 33 deletions(-) diff --git a/.github/actions/secure-download-artifact/action.yml b/.github/actions/secure-download-artifact/action.yml index f8cf151298..bc225b8560 100644 --- a/.github/actions/secure-download-artifact/action.yml +++ b/.github/actions/secure-download-artifact/action.yml @@ -78,7 +78,7 @@ runs: echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}" - name: Download the artifact - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: "${{ inputs.name }}" path: "${{ steps.validate-path.outputs.folder_path }}" diff --git a/.github/actions/secure-download-folder/action.yml b/.github/actions/secure-download-folder/action.yml index a4d81f0bd6..001208a734 100644 --- a/.github/actions/secure-download-folder/action.yml +++ b/.github/actions/secure-download-folder/action.yml @@ -34,7 +34,7 @@ runs: uses: slsa-framework/slsa-github-generator/.github/actions/rng@main - name: Download the artifact - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: "${{ inputs.name }}" path: "${{ steps.rng.outputs.random }}" diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml index 984b39a614..e6209abca0 100644 --- a/.github/actions/secure-upload-artifact/action.yml +++ b/.github/actions/secure-upload-artifact/action.yml @@ -37,7 +37,7 @@ runs: path: "${{ inputs.path }}" - name: Upload the artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: "${{ inputs.name }}" path: "${{ inputs.path }}" diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml index e560a0a73d..38cb649cfd 100644 --- a/.github/workflows/builder_container-based_slsa3.yml +++ b/.github/workflows/builder_container-based_slsa3.yml @@ -209,7 +209,7 @@ jobs: allow-private-repository: ${{ inputs.rekor-log-public }} - name: Upload builder - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -462,7 +462,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a # secure upload or verify this against the SLSA layout file. id: upload-artifacts - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ steps.build.outputs.build-outputs-name }} path: /tmp/build-outputs-${{ needs.rng.outputs.value }} @@ -535,7 +535,7 @@ jobs: - name: Upload unsigned intoto attestations file for pull request if: ${{ github.event_name == 'pull_request' }} id: upload-unsigned - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "attestations-${{ needs.rng.outputs.value }}" @@ -556,7 +556,7 @@ jobs: - name: Upload the signed attestations id: upload-signed if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" @@ -584,7 +584,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA # layout files and their checksums to validate the artifacts. - name: Download artifacts - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: "${{ needs.build.outputs.build-outputs-name }}" path: "${{ needs.build.outputs.build-outputs-name }}" @@ -592,7 +592,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the # secure-folder-download action. - name: Download provenance - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: "${{ needs.provenance.outputs.provenance-name }}" path: "${{ needs.provenance.outputs.provenance-name }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 75ee9ddee7..7a656be5fb 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -169,7 +169,7 @@ jobs: allow-private-repository: ${{ inputs.private-repository }} - name: Upload builder - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -358,7 +358,7 @@ jobs: --workingDir "$UNTRUSTED_WORKING_DIR" - name: Upload the signed provenance - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: "${{ steps.sign-prov.outputs.signed-provenance-name }}" path: "${{ steps.sign-prov.outputs.signed-provenance-name }}" diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index cf787e07ed..fbd91ffaf8 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -251,7 +251,7 @@ jobs: - name: Upload the signed provenance id: upload-prov continue-on-error: true - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: "${{ steps.sign-prov.outputs.provenance-name }}" path: "${{ steps.sign-prov.outputs.provenance-name }}" diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index e93bf7c39e..26bdf4a146 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -98,7 +98,7 @@ jobs: fi # If index.js was different from expected, upload the expected version as an artifact - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist diff --git a/.github/workflows/pre-submit.e2e.container-based.default.yml b/.github/workflows/pre-submit.e2e.container-based.default.yml index 4aad66f266..fde224d1c7 100644 --- a/.github/workflows/pre-submit.e2e.container-based.default.yml +++ b/.github/workflows/pre-submit.e2e.container-based.default.yml @@ -46,7 +46,7 @@ jobs: GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build-container-based.outputs.build-outputs-name }} path: outputs @@ -57,7 +57,7 @@ jobs: name=$(find outputs/ -type f | head -1) cp "$name" . echo "name=$(basename "$name")" >> "$GITHUB_OUTPUT" - - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build-container-based.outputs.attestations-download-name }} - env: diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml index 716d472720..810ca1f641 100644 --- a/.github/workflows/pre-submit.e2e.generic.default.yml +++ b/.github/workflows/pre-submit.e2e.generic.default.yml @@ -47,7 +47,7 @@ jobs: if: ${{ always() }} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build.outputs.provenance-name }} - env: @@ -76,7 +76,7 @@ jobs: needs: [build-continue-no-error] steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build-continue-no-error.outputs.provenance-name }} - env: @@ -106,7 +106,7 @@ jobs: needs: [build, build-continue-invalid-subjects] steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build.outputs.provenance-name }} - env: diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index f64fde5710..8134947b83 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -65,10 +65,10 @@ jobs: if: ${{ always() }} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build.outputs.go-binary-name }} - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build.outputs.go-provenance-name }} - env: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b6a72e6374..ab72542953 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -63,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: SARIF file path: results.sarif diff --git a/CHANGELOG.md b/CHANGELOG.md index 68144da56c..7a2f6f4f7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [Unreleased](#unreleased) + - [Unleased: Breaking Change:](#unreleased-breaking-change-upload-artifact-and-download-artifact) - [Unreleased: Gradle Builder](#unreleased-gradle-builder) - [Unreleased: Go Builder](#unreleased-go-builder) - [Unreleased: Container Generator](#unreleased-container-generator) @@ -99,6 +100,10 @@ duplication." ## Unreleased +### Unreleased: Breaking Change: upload-artifact and download-artifact + +- Our workflows now use the new `@v4`s of `actions/upload-artifact` and `actions/download-artifact`, which are incompatiblle with the prior `@v3`. See Our docs on the [generic generator](./internal/builders/generic/README.md#compatibility-with-actionsdownload-artifact). + ### Unreleased: Gradle Builder - The Gradle Builder was fixed when the project root is the same as the diff --git a/SPECIFICATIONS.md b/SPECIFICATIONS.md index 3ce6364285..219d761d6d 100644 --- a/SPECIFICATIONS.md +++ b/SPECIFICATIONS.md @@ -193,10 +193,10 @@ jobs: runs-on: ubuntu-latest needs: build steps: - - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build.outputs.go-binary-name }} - - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - name: Release diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index 1e809fff43..97ee5dee65 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -193,12 +193,12 @@ jobs: if: startsWith(github.ref, 'refs/tags/') steps: - name: Download artifact1 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: artifact1 - name: Download artifact2 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: artifact2 @@ -1485,7 +1485,7 @@ jobs: # Do the build to create release_artifact_${{ runner.os }} - run: ... - - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: path: release_artifact_${{ runner.os }} name: release_artifact_${{ runner.os }} @@ -1540,7 +1540,7 @@ jobs: # Do the build to create release_artifact_${{ runner.os }} - run: ... - - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: path: release_artifact_${{ runner.os }} name: release_artifact_${{ runner.os }} @@ -1641,9 +1641,5 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_s ### Compatibility with `actions/download-artifact` -To download provenance (e.g., if you don't use `upload-assets`) you have to -use [`actions/download-artifact@v3`](https://github.com/actions/download-artifact). -The workflow uses [`actions/upload-artifact@3`](https://github.com/actions/upload-artifact) -which is -[not compatible](https://github.com/actions/download-artifact?tab=readme-ov-file#breaking-changes) -with `actions/download-artifact@v4`. +`slsa-github-generator@v1.9.0` and prior use [`actions/upload-artifact@v3`](https://github.com/actions/upload-artifact) and [`actions/download-artifact@v3`](https://github.com/actions/download-artifact) which are not backwards compatible the `@v4`s used in current versions of `slsa-github-generator`. +The interface remains the same, however. If your own workflows want to download artifacts produced by our workflows, they muse use `actions/download-artifact@v4`. From 875667713deaf8060607913d290a1d47ac39bbb9 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 8 Mar 2024 16:56:29 +0000 Subject: [PATCH 02/12] npm audit Signed-off-by: Ramon Petgrave --- package-lock.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 89a2089b12..f157826ec4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4,6 +4,7 @@ "requires": true, "packages": { "": { + "name": "slsa-github-generator", "devDependencies": { "markdown-toc": "1.2.0", "markdownlint-cli": "0.37.0", @@ -705,9 +706,9 @@ } }, "node_modules/ip": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.0.tgz", - "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz", + "integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==", "dev": true }, "node_modules/is-buffer": { From 4488d71e77d700619588865de378d44ac2196e9e Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 8 Mar 2024 17:02:29 +0000 Subject: [PATCH 03/12] markdown lint Signed-off-by: Ramon Petgrave --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a2f6f4f7f..34f5a3fb7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [Unreleased](#unreleased) - - [Unleased: Breaking Change:](#unreleased-breaking-change-upload-artifact-and-download-artifact) + - [Unreleased: Breaking Change: upload-artifact and download-artifact](#unreleased-breaking-change-upload-artifact-and-download-artifact) - [Unreleased: Gradle Builder](#unreleased-gradle-builder) - [Unreleased: Go Builder](#unreleased-go-builder) - [Unreleased: Container Generator](#unreleased-container-generator) From c3888884eb97cdd9dd53f9879dfc6405d6566210 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 8 Mar 2024 17:31:22 +0000 Subject: [PATCH 04/12] checkout the PR version Signed-off-by: Ramon Petgrave --- .github/workflows/pre-submit.actions.yml | 41 ++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 26bdf4a146..12a029fba9 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -28,12 +28,18 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -76,6 +82,9 @@ jobs: - .github/actions/detect-workflow-js steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - name: Set Node.js 18 uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 @@ -122,6 +131,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - run: | echo "foo" > artifact - id: compute-sha256 @@ -137,6 +149,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - run: | echo "foo" > artifact - id: rng @@ -152,6 +167,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} path: __THIS_REPO__ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -177,6 +194,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Checkout the Go repository @@ -190,6 +209,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Checkout the JS repository @@ -209,6 +230,9 @@ jobs: DOWNLOAD_FOLDER_NO_ROOT_NAME: "download-root/download-folder" steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - name: Create folder run: | set -euo pipefail @@ -367,6 +391,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -394,6 +420,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -427,6 +455,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact and folder @@ -461,6 +491,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -494,6 +526,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -508,6 +543,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -526,6 +564,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations From b16effdd3efa3505f77a5a956656242e874ab232 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 8 Mar 2024 17:40:57 +0000 Subject: [PATCH 05/12] conditional assignment Signed-off-by: Ramon Petgrave --- .github/workflows/pre-submit.actions.yml | 64 ++++++++++++------------ 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 12a029fba9..2e315c2f42 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -29,8 +29,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: @@ -38,8 +38,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -83,8 +83,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Set Node.js 18 uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 @@ -132,8 +132,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - run: | echo "foo" > artifact - id: compute-sha256 @@ -150,8 +150,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - run: | echo "foo" > artifact - id: rng @@ -167,8 +167,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __THIS_REPO__ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -194,8 +194,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Checkout the Go repository @@ -209,8 +209,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Checkout the JS repository @@ -231,8 +231,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Create folder run: | set -euo pipefail @@ -391,8 +391,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -420,8 +420,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -455,8 +455,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact and folder @@ -491,8 +491,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -527,8 +527,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -544,8 +544,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -565,8 +565,8 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{github.event.pull_request.head.repo.full_name}} - ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations From 0898d422405d78539d3e68cf3da1a81a9184cbd4 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 8 Mar 2024 17:54:43 +0000 Subject: [PATCH 06/12] fix attempt to use dynamic secure-uplaod-artifact Signed-off-by: Ramon Petgrave --- .github/actions/secure-upload-folder/action.yml | 10 +++++++++- .github/workflows/pre-submit.actions.yml | 3 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/actions/secure-upload-folder/action.yml b/.github/actions/secure-upload-folder/action.yml index 11294b3be6..d7773d0346 100644 --- a/.github/actions/secure-upload-folder/action.yml +++ b/.github/actions/secure-upload-folder/action.yml @@ -24,6 +24,14 @@ inputs: path: description: 'Path to the folder' required: true + repo: + description: 'repo of secure-upload-artifact to use' + required: false + default: 'slsa-framework/slsa-github-generator' + ref: + description: 'ref of secure-upload-artifact to use' + required: false + default: 'main' outputs: sha256: description: "SHA256 of the uploaded tarball." @@ -60,7 +68,7 @@ runs: - name: Upload the artifact id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@main + uses: "${{ inputs.repo }}.github/actions/secure-upload-artifact@${{ inputs.ref }}" with: name: "${{ inputs.name }}" path: "${{ steps.create.outputs.tarball-path }}" diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 2e315c2f42..97d0d55556 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -260,6 +260,7 @@ jobs: with: name: "${{ env.ARTIFACT_NAME }}" path: "${{ env.UPLOAD_FOLDER_NAME }}" + repo: - name: Upload id: upload-noroot @@ -267,6 +268,8 @@ jobs: with: name: "${{ env.ARTIFACT_NO_ROOT_NAME }}" path: "${{ env.UPLOAD_FOLDER_NO_ROOT_NAME }}" + repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} + ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Download in new folder uses: ./.github/actions/secure-download-folder From 8909854be690cfeabc81c8ce8a1f35d8726c37c0 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 8 Mar 2024 17:56:30 +0000 Subject: [PATCH 07/12] Revert "fix attempt to use dynamic secure-uplaod-artifact" This reverts commit 90909d4ded2f8e052f7ffe219d7bb78009d639ae. Signed-off-by: Ramon Petgrave --- .github/actions/secure-upload-folder/action.yml | 10 +--------- .github/workflows/pre-submit.actions.yml | 3 --- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/actions/secure-upload-folder/action.yml b/.github/actions/secure-upload-folder/action.yml index d7773d0346..11294b3be6 100644 --- a/.github/actions/secure-upload-folder/action.yml +++ b/.github/actions/secure-upload-folder/action.yml @@ -24,14 +24,6 @@ inputs: path: description: 'Path to the folder' required: true - repo: - description: 'repo of secure-upload-artifact to use' - required: false - default: 'slsa-framework/slsa-github-generator' - ref: - description: 'ref of secure-upload-artifact to use' - required: false - default: 'main' outputs: sha256: description: "SHA256 of the uploaded tarball." @@ -68,7 +60,7 @@ runs: - name: Upload the artifact id: upload - uses: "${{ inputs.repo }}.github/actions/secure-upload-artifact@${{ inputs.ref }}" + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@main with: name: "${{ inputs.name }}" path: "${{ steps.create.outputs.tarball-path }}" diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 97d0d55556..2e315c2f42 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -260,7 +260,6 @@ jobs: with: name: "${{ env.ARTIFACT_NAME }}" path: "${{ env.UPLOAD_FOLDER_NAME }}" - repo: - name: Upload id: upload-noroot @@ -268,8 +267,6 @@ jobs: with: name: "${{ env.ARTIFACT_NO_ROOT_NAME }}" path: "${{ env.UPLOAD_FOLDER_NO_ROOT_NAME }}" - repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Download in new folder uses: ./.github/actions/secure-download-folder From fa0d6b5c0ae9b5f0cf68b196f5fd6e0a095815b0 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Mon, 11 Mar 2024 19:00:48 +0000 Subject: [PATCH 08/12] undo explicit params Signed-off-by: Ramon Petgrave --- .github/workflows/pre-submit.actions.yml | 41 ------------------------ 1 file changed, 41 deletions(-) diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 2e315c2f42..26bdf4a146 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -28,18 +28,12 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -82,9 +76,6 @@ jobs: - .github/actions/detect-workflow-js steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Set Node.js 18 uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 @@ -131,9 +122,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - run: | echo "foo" > artifact - id: compute-sha256 @@ -149,9 +137,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - run: | echo "foo" > artifact - id: rng @@ -167,8 +152,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __THIS_REPO__ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -194,8 +177,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Checkout the Go repository @@ -209,8 +190,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Checkout the JS repository @@ -230,9 +209,6 @@ jobs: DOWNLOAD_FOLDER_NO_ROOT_NAME: "download-root/download-folder" steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Create folder run: | set -euo pipefail @@ -391,8 +367,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -420,8 +394,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -455,8 +427,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact and folder @@ -491,8 +461,6 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} path: __BUILDER_CHECKOUT_DIR__ - name: Create artifact @@ -526,9 +494,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -543,9 +508,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -564,9 +526,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} - ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations From 5f377b164b0ebfcd782af0b6a5b44e6345afb3b2 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Mon, 11 Mar 2024 19:11:55 +0000 Subject: [PATCH 09/12] upgrade guidance Signed-off-by: Ramon Petgrave --- CHANGELOG.md | 2 +- internal/builders/generic/README.md | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 34f5a3fb7c..7d44b7a334 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -102,7 +102,7 @@ duplication." ### Unreleased: Breaking Change: upload-artifact and download-artifact -- Our workflows now use the new `@v4`s of `actions/upload-artifact` and `actions/download-artifact`, which are incompatiblle with the prior `@v3`. See Our docs on the [generic generator](./internal/builders/generic/README.md#compatibility-with-actionsdownload-artifact). +- Our workflows now use the new `@v4`s of `actions/upload-artifact` and `actions/download-artifact`, which are incompatiblle with the prior `@v3`. See Our docs on the [generic generator](./internal/builders/generic/README.md#compatibility-with-actionsdownload-artifact) for more information and how to upgrade. ### Unreleased: Gradle Builder diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index 97ee5dee65..d711f36bec 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -1642,4 +1642,6 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_s ### Compatibility with `actions/download-artifact` `slsa-github-generator@v1.9.0` and prior use [`actions/upload-artifact@v3`](https://github.com/actions/upload-artifact) and [`actions/download-artifact@v3`](https://github.com/actions/download-artifact) which are not backwards compatible the `@v4`s used in current versions of `slsa-github-generator`. -The interface remains the same, however. If your own workflows want to download artifacts produced by our workflows, they muse use `actions/download-artifact@v4`. +The interface remains the same, however. If your own workflows want to download artifacts produced by our workflows, they must begin using `actions/download-artifact@v4`. For your other dependent workflows, you may find that you need to upgrade all of your uses of both of the actions to `@v4` to maintain compatibility. + +This is part of our effort to upgrade from the now-deprecated node16 that the `@v3`s used. `@v4s` use node20. From fe8272ffb033eb2f28d6a0dca100ff9f0b0a546c Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Mon, 11 Mar 2024 19:25:34 +0000 Subject: [PATCH 10/12] more migration guidance Signed-off-by: Ramon Petgrave --- internal/builders/generic/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index d711f36bec..0e5509d712 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -1644,4 +1644,8 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_s `slsa-github-generator@v1.9.0` and prior use [`actions/upload-artifact@v3`](https://github.com/actions/upload-artifact) and [`actions/download-artifact@v3`](https://github.com/actions/download-artifact) which are not backwards compatible the `@v4`s used in current versions of `slsa-github-generator`. The interface remains the same, however. If your own workflows want to download artifacts produced by our workflows, they must begin using `actions/download-artifact@v4`. For your other dependent workflows, you may find that you need to upgrade all of your uses of both of the actions to `@v4` to maintain compatibility. +See more migration guidance + * https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md + * https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md + This is part of our effort to upgrade from the now-deprecated node16 that the `@v3`s used. `@v4s` use node20. From ed8743df77e33f32cfc07cc80d55d6a894ab14dd Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 13 Mar 2024 15:33:54 +0000 Subject: [PATCH 11/12] markdownlint Signed-off-by: Ramon Petgrave --- internal/builders/generic/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index 0e5509d712..6b521e3c54 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -1645,7 +1645,8 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_s The interface remains the same, however. If your own workflows want to download artifacts produced by our workflows, they must begin using `actions/download-artifact@v4`. For your other dependent workflows, you may find that you need to upgrade all of your uses of both of the actions to `@v4` to maintain compatibility. See more migration guidance - * https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md - * https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md + +- https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md +- https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md This is part of our effort to upgrade from the now-deprecated node16 that the `@v3`s used. `@v4s` use node20. From 8794ec287dc601dad80564ceddee2a30ab04c25e Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 13 Mar 2024 15:34:45 +0000 Subject: [PATCH 12/12] undo package-lock Signed-off-by: Ramon Petgrave --- package-lock.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index f157826ec4..89a2089b12 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4,7 +4,6 @@ "requires": true, "packages": { "": { - "name": "slsa-github-generator", "devDependencies": { "markdown-toc": "1.2.0", "markdownlint-cli": "0.37.0", @@ -706,9 +705,9 @@ } }, "node_modules/ip": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz", - "integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.0.tgz", + "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==", "dev": true }, "node_modules/is-buffer": {