diff --git a/workspaces/libnpmpublish/lib/provenance.js b/workspaces/libnpmpublish/lib/provenance.js index 45fe963d5f36f..090d4cd7fe561 100644 --- a/workspaces/libnpmpublish/lib/provenance.js +++ b/workspaces/libnpmpublish/lib/provenance.js @@ -19,9 +19,11 @@ const generateProvenance = async (subject, opts) => { let payload if (ci.GITHUB_ACTIONS) { /* istanbul ignore next - not covering missing env var case */ - const [workflowPath, workflowRef] = (env.GITHUB_WORKFLOW_REF || '') - .replace(env.GITHUB_REPOSITORY + '/', '') - .split('@') + const relativeRef = (env.GITHUB_WORKFLOW_REF || '').replace(env.GITHUB_REPOSITORY + '/', '') + const delimiterIndex = relativeRef.indexOf('@') + const workflowPath = relativeRef.slice(0, delimiterIndex) + const workflowRef = relativeRef.slice(delimiterIndex + 1) + payload = { _type: INTOTO_STATEMENT_V1_TYPE, subject, diff --git a/workspaces/libnpmpublish/test/publish.js b/workspaces/libnpmpublish/test/publish.js index a9add4be9b5fd..584508d34fe03 100644 --- a/workspaces/libnpmpublish/test/publish.js +++ b/workspaces/libnpmpublish/test/publish.js @@ -345,7 +345,7 @@ t.test('publish existing package with provenance in gha', async t => { const workflowPath = '.github/workflows/publish.yml' const repository = 'github/foo' const serverUrl = 'https://github.com' - const ref = 'refs/heads/main' + const ref = 'refs/tags/pkg@1.0.0' const sha = 'deadbeef' const runID = '123456' const runAttempt = '1' @@ -529,6 +529,9 @@ t.test('publish existing package with provenance in gha', async t => { t.hasStrict(provenance.predicate.buildDefinition.buildType, 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1', 'buildType matches expectations') + t.hasStrict(provenance.predicate.buildDefinition.externalParameters.workflow.ref, + 'refs/tags/pkg@1.0.0', + 'workflowRef matches expectations') t.hasStrict(provenance.predicate.runDetails.builder.id, `https://github.com/actions/runner/${runnerEnv}`, 'builder id matches expectations')