update

Signed-off-by: laurentsimon <[email protected]>
slsa-framework · Dec 21, 2022 · 38b44c9 · 38b44c9
1 parent 78eb34b
commit 38b44c9
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 7 deletions.
diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
@@ -108,10 +108,8 @@ jobs:
           slsa-runner-label: "ubuntu-latest"
           slsa-build-action-path: "./actions/build-artifacts-composite"
           slsa-workflow-inputs: "{\"name1\":\"value1\",\"name2\":\"value2\",\"private-repository\":true}"
-
       - env:
           SLSA_TOKEN: ${{ steps.setup.outputs.slsa-token }}
-          CONTEXT: ${{ github.context }}
         run: |
           set -euo pipefail
 
@@ -128,18 +126,43 @@ jobs:
           echo "decoded_token:"
           echo "$decoded_token"
 
+          # Non-GitHub's information.
           audience=$(echo "$decoded_token" | jq -r '.builder.audience')
           runner_label=$(echo "$decoded_token" | jq -r '.builder."runner-label"')
           private_repository=$(echo "$decoded_token" | jq -r '.builder."private-repository"')
           action_path=$(echo "$decoded_token" | jq -r '.tool.actions."build-artifacts".path')
           inputs=$(echo "$decoded_token" | jq -rc '.tool.inputs')
+          
+          # GitHub's information.
           run_attempt=$(echo "$decoded_token" | jq -r '.github.run_attempt')
           run_id=$(echo "$decoded_token" | jq -r '.github.run_id')
           run_number=$(echo "$decoded_token" | jq -r '.github.run_number')
           sha=$(echo "$decoded_token" | jq -r '.github.sha')
           workflow=$(echo "$decoded_token" | jq -r '.github.workflow')
-
-          [[ "$audience" == "delegated_generic_slsa3.yml" ]]
+          event_name=$(echo "$decoded_token" | jq -r '.github.event_name')
+          repository=$(echo "$decoded_token" | jq -r '.github.repository')
+          repository_owner=$(echo "$decoded_token" | jq -r '.github.repository_owner')
+          ref=$(echo "$decoded_token" | jq -r '.github.ref')
+          ref_type=$(echo "$decoded_token" | jq -r '.github.ref_type')
+          actor=$(echo "$decoded_token" | jq -r '.github.actor')
+
+          echo "audience: $audience"
+          echo "runner_label: $runner_label"
+          echo "private_repository: $private_repository"
+          echo "action_path: $action_path"
+          echo "inputs: $inputs"
+          echo "run_attempt: $run_attempt - $GITHUB_RUN_ATTEMPT"
+          echo "run_id: $run_id - $GITHUB_RUN_ID"
+          echo "run_number: $run_number - $GITHUB_RUN_NUMBER"
+          echo "sha: $sha - $GITHUB_SHA"
+          echo "workflow: $workflow - $GITHUB_WORKFLOW"
+          echo "event_name: $event_name - $GITHUB_EVENT_NAME"
+          echo "repository: $repository - $GITHUB_REPOSITORY"
+          echo "repository_owner: $repository_owner - $GITHUB_REPOSITORY_OWNER"
+          echo "ref: $ref - $GITHUB_REF"
+          echo "ref_type: $ref_type - $GITHUB_REF_TYPE"
+          
+          [[ "$audience" == "delegator_generic_slsa3.yml" ]]
           [[ "$run_attempt" == "$GITHUB_RUN_ATTEMPT" ]]
           [[ "$run_number" == "$GITHUB_RUN_NUMBER" ]]
           [[ "$run_id" == "$GITHUB_RUN_ID" ]]
@@ -148,7 +171,12 @@ jobs:
           [[ "$runner_label" == "ubuntu-latest" ]]
           [[ "$private_repository" == "true" ]]
           [[ "$action_path" == "./actions/build-artifacts-composite" ]]
-          [[ "$inputs" == "{\"name1\":\"value1\",\"name2\":\"value2\",\"private-repository\":true}" ]]
+          [[ "$inputs" == '{"name1":"value1","name2":"value2","private-repository":true}' ]]
+          [[ "$event_name" == "$GITHUB_EVENT_NAME" ]]
+          [[ "$repository" == "$GITHUB_REPOSITORY" ]]
+          [[ "$repository_owner" == "$GITHUB_REPOSITORY_OWNER" ]]
+          [[ "$ref" == "$GITHUB_REF" ]]
+          [[ "$ref_type" == "$GITHUB_REF_TYPE" ]]
 
   references:
     runs-on: ubuntu-latest

diff --git a/actions/setup-token/action.yml b/actions/setup-token/action.yml
@@ -29,7 +29,7 @@ inputs:
       The runner label to run the callback Action (`slsa-build-action-path`) on.
     type: choice
     options:
-    - ubuntu-latest
+      - ubuntu-latest
     required: true
 
   slsa-workflow-inputs:

diff --git a/actions/setup-token/src/main.ts b/actions/setup-token/src/main.ts
@@ -63,12 +63,21 @@ async function run(): Promise<void> {
       },
       github: {
         // TODO: Re-evaluate if we need the context.
-        context: github.context,
+        context: github,
+        event_name: process.env.GITHUB_EVENT_NAME,
         run_attempt: process.env.GITHUB_RUN_ATTEMPT,
         run_id: process.env.GITHUB_RUN_ID,
         run_number: process.env.GITHUB_RUN_NUMBER,
         workflow: process.env.GITHUB_WORKFLOW,
         sha: process.env.GITHUB_SHA,
+        repository: process.env.GITHUB_REPOSITORY,
+        repository_owner: process.env.GITHUB_REPOSITORY_OWNER,
+        // TODO: enable if these become available.
+        // repository_id: process.env.GITHUB_REPOSITORY_ID,
+        // repository_owner_id: process.env.GITHUB_REPOSITORY_OWNER_ID,
+        ref: process.env.GITHUB_REF,
+        ref_type: process.env.GITHUB_REF_TYPE,
+        actor: process.env.GITHUB_ACTOR,
       },
       tool: {
         actions: {