Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set workflow.ref provenance field from ref claim #1969

Merged
merged 1 commit into from
Feb 26, 2025
Merged

set workflow.ref provenance field from ref claim #1969

merged 1 commit into from
Feb 26, 2025

Conversation

bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Feb 26, 2025
edited
Loading

Updates the buildSLSAProvenancePredicate function in the @actions/attest package to populate the workflow.ref field from the ref claim in the OIDC token.

For most events which trigger a workflow run (push, release, workflow_dispatch, etc) this will have no impact on generated predicate statement. For other events which may be triggered from ref-less commits, this will ensure that the populated value more accurately reflects the state of the workflow run.

@bdehamer
set workflow.ref provenance field from ref claim
0bc338a 
Updates the `buildSLSAProvenancePredicate` function to populate the
`workflow.ref` field from the `ref` claim in the OIDC token.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/workflow-ref branch from c59c9d5 to 0bc338a Compare February 26, 2025 16:47
@bdehamer bdehamer marked this pull request as ready for review February 26, 2025 16:48
@bdehamer bdehamer requested a review from a team as a code owner February 26, 2025 16:48
bdehamer
bdehamer commented Feb 26, 2025
View reviewed changes
packages/attest/__tests__/provenance.test.ts
Comment on lines -78 to -87

it('handle tags including "@" character', async () => {
nock.cleanAll()
await mockIssuer({
...claims,
workflow_ref: 'owner/repo/.github/workflows/main.yml@foo@1.0.0'
})
const predicate = await buildSLSAProvenancePredicate()
expect(predicate).toMatchSnapshot()
})
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test was specifically handling the scenario where the ref was parsed from the workflow_ref claim and is no longer necessary since we no longer need to extract this value.

ejahnGithub
ejahnGithub approved these changes Feb 26, 2025
View reviewed changes
Copy link

@ejahnGithub ejahnGithub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@bdehamer bdehamer merged commit ec9716b into main Feb 26, 2025
16 of 17 checks passed
@bdehamer bdehamer deleted the bdehamer/workflow-ref branch February 26, 2025 17:50
This was referenced Feb 26, 2025
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ejahnGithub ejahnGithub

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bdehamer @ejahnGithub