Skip to content

Commit

Permalink
feat: Use tags vX.Y.Z-<language> for JReleaser builders (#644)
Browse files Browse the repository at this point in the history
Signed-off-by: laurentsimon <laurentsimon@google.com>
  • Loading branch information
laurentsimon authored Jul 10, 2023
1 parent 1778495 commit c6d12b7
Show file tree
Hide file tree
Showing 4 changed files with 97 additions and 10 deletions.
13 changes: 8 additions & 5 deletions verifiers/internal/gha/builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,12 @@ import (
)

var (
trustedBuilderRepository = "slsa-framework/slsa-github-generator"
e2eTestRepository = "slsa-framework/example-package"
certOidcIssuer = "https://token.actions.githubusercontent.com"
githubCom = "github.com/"
httpsGithubCom = "https://" + githubCom
trustedBuilderRepository = "slsa-framework/slsa-github-generator"
e2eTestRepository = "slsa-framework/example-package"
jReleaserActionRepository = "jreleaser/release-action"
certOidcIssuer = "https://token.actions.githubusercontent.com"
githubCom = "github.com/"
httpsGithubCom = "https://" + githubCom
// This is used in cosign's CheckOpts for validating the certificate. We
// do specific builder verification after this.
certSubjectRegexp = httpsGithubCom + "*"
Expand All @@ -40,6 +41,8 @@ var defaultBYOBReusableWorkflows = map[string]bool{
common.GenericLowPermsDelegatorBuilderID: true,
}

var JReleaserRepository = httpsGithubCom + jReleaserActionRepository

// VerifyCertficateSourceRepository verifies the source repository.
func VerifyCertficateSourceRepository(id *WorkflowIdentity,
sourceRepo string,
Expand Down
6 changes: 6 additions & 0 deletions verifiers/internal/gha/provenance.go
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,12 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
if len(parts) != 2 {
return fmt.Errorf("%w: %s", serrors.ErrorInvalidBuilderID, id)
}

// Exception for JReleaser builders.
// See https://github.com/slsa-framework/slsa-github-generator/issues/2035#issuecomment-1579963802.
if strings.HasPrefix(parts[0], JReleaserRepository) {
return utils.IsValidJreleaserBuilderTag(parts[1])
}
return utils.IsValidBuilderTag(parts[1], false)
}

Expand Down
23 changes: 23 additions & 0 deletions verifiers/utils/builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,3 +150,26 @@ func IsValidBuilderTag(ref string, testing bool) error {
}
return nil
}

func IsValidJreleaserBuilderTag(ref string) error {
// Extract the pin.
pin, err := TagFromGitRef(ref)
if err != nil {
return err
}

// Valid semver of the form vX.Y.Z-<language> with no metadata.
// NOTE: When adding a language, update the corresponding
// unit test.
languages := map[string]bool{
"-java": true,
}
_, validLanguage := languages[semver.Prerelease(pin)]
if !semver.IsValid(pin) ||
len(strings.Split(pin, ".")) != 3 ||
!validLanguage ||
semver.Build(pin) != "" {
return fmt.Errorf("%w: %s: not of the form vX.Y.Z-<language>", serrors.ErrorInvalidRef, pin)
}
return nil
}
65 changes: 60 additions & 5 deletions verifiers/utils/builder_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -672,11 +672,6 @@ func Test_IsValidBuilderTag(t *testing.T) {
ref: "refs/tags/v1",
err: serrors.ErrorInvalidRef,
},
{
name: "valid semver: no minor",
ref: "refs/tags/v1",
err: serrors.ErrorInvalidRef,
},
{
name: "valid semver: pre-release",
ref: "refs/tags/v1.2.3-rc.0",
Expand Down Expand Up @@ -770,3 +765,63 @@ func Test_IsValidBuilderTag(t *testing.T) {
})
}
}

func Test_IsValidJreleaserBuilderTag(t *testing.T) {
t.Parallel()
tests := []struct {
name string
ref string
err error
}{
{
name: "valid full semver and language",
ref: "refs/tags/v1.2.3-java",
},
{
name: "valid semver: no patch",
ref: "refs/tags/v1.2-java",
err: serrors.ErrorInvalidRef,
},
{
name: "valid semver: no minor",
ref: "refs/tags/v1-java",
err: serrors.ErrorInvalidRef,
},
{
name: "valid semver: pre-release",
ref: "refs/tags/v1.2.3-rc.0+java",
err: serrors.ErrorInvalidRef,
},
{
name: "valid semver: pre-release w/ build",
ref: "refs/tags/v1.2.3-rc.0+build1",
err: serrors.ErrorInvalidRef,
},
{
name: "valid semver: build",
ref: "refs/tags/v1.2.3-java+build1",
err: serrors.ErrorInvalidRef,
},
{
name: "invalid semver",
ref: "refs/tags/1.2.3-java",
err: serrors.ErrorInvalidRef,
},
{
name: "invalid ref",
ref: "refs/v1.2.3-java",
err: serrors.ErrorInvalidRef,
},
}
for _, tt := range tests {
tt := tt // Re-initializing variable so it is not changed while executing the closure below

t.Run(tt.name, func(t *testing.T) {
t.Parallel()
err := IsValidJreleaserBuilderTag(tt.ref)
if !cmp.Equal(err, tt.err, cmpopts.EquateErrors()) {
t.Errorf(cmp.Diff(err, tt.err))
}
})
}
}

0 comments on commit c6d12b7

Please sign in to comment.