Skip to content

Commit

Permalink
fix(publish): split github workflow ref (#6978)
Browse files Browse the repository at this point in the history
Properly splits the github workflow ref on only the first `@`, ignoring any potential extras in the tag field.
  • Loading branch information
sxzz authored Nov 13, 2023
1 parent 0f70088 commit fff8698
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 4 deletions.
8 changes: 5 additions & 3 deletions workspaces/libnpmpublish/lib/provenance.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,11 @@ const generateProvenance = async (subject, opts) => {
let payload
if (ci.GITHUB_ACTIONS) {
/* istanbul ignore next - not covering missing env var case */
const [workflowPath, workflowRef] = (env.GITHUB_WORKFLOW_REF || '')
.replace(env.GITHUB_REPOSITORY + '/', '')
.split('@')
const relativeRef = (env.GITHUB_WORKFLOW_REF || '').replace(env.GITHUB_REPOSITORY + '/', '')
const delimiterIndex = relativeRef.indexOf('@')
const workflowPath = relativeRef.slice(0, delimiterIndex)
const workflowRef = relativeRef.slice(delimiterIndex + 1)

payload = {
_type: INTOTO_STATEMENT_V1_TYPE,
subject,
Expand Down
5 changes: 4 additions & 1 deletion workspaces/libnpmpublish/test/publish.js
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ t.test('publish existing package with provenance in gha', async t => {
const workflowPath = '.github/workflows/publish.yml'
const repository = 'github/foo'
const serverUrl = 'https://github.com'
const ref = 'refs/heads/main'
const ref = 'refs/tags/pkg@1.0.0'
const sha = 'deadbeef'
const runID = '123456'
const runAttempt = '1'
Expand Down Expand Up @@ -529,6 +529,9 @@ t.test('publish existing package with provenance in gha', async t => {
t.hasStrict(provenance.predicate.buildDefinition.buildType,
'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1',
'buildType matches expectations')
t.hasStrict(provenance.predicate.buildDefinition.externalParameters.workflow.ref,
'refs/tags/pkg@1.0.0',
'workflowRef matches expectations')
t.hasStrict(provenance.predicate.runDetails.builder.id,
`https://github.com/actions/runner/${runnerEnv}`,
'builder id matches expectations')
Expand Down

0 comments on commit fff8698

Please sign in to comment.