fix attester id

Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer
2026-01-29 17:15:04 -08:00
parent 799667e711
commit 648860c1d2
6 changed files with 58 additions and 18 deletions
+1 -1
View File
@@ -2,7 +2,7 @@ module.exports = {
context: {
repo: { owner: 'test-owner', repo: 'test-repo' },
runId: 12345,
workflow: 'ci.yml'
serverUrl: 'https://github.com'
},
getOctokit: jest.fn()
}
+12 -2
View File
@@ -77,7 +77,12 @@ describe('SBOM Action', () => {
}
getInputMock.mockImplementation(mockInput(inputs))
const originalEnv = process.env
process.env = { ...originalEnv, RUNNER_TEMP: '/tmp' }
process.env = {
...originalEnv,
RUNNER_TEMP: '/tmp',
GITHUB_WORKFLOW_REF:
'test-owner/test-repo/.github/workflows/ci.yml@refs/heads/main'
}
// Run the main function
await main.run()
@@ -145,7 +150,12 @@ describe('SBOM Action', () => {
}
getInputMock.mockImplementation(mockInput(inputs))
const originalEnv = process.env
process.env = { ...originalEnv, RUNNER_TEMP: '/tmp' }
process.env = {
...originalEnv,
RUNNER_TEMP: '/tmp',
GITHUB_WORKFLOW_REF:
'test-owner/test-repo/.github/workflows/ci.yml@refs/heads/main'
}
// Mock release not found
mockGetReleaseByTag.mockRejectedValue({ status: 404 })
+21 -5
View File
@@ -13,17 +13,33 @@ describe('generateAssetName', () => {
})
describe('buildAttesterId', () => {
it('builds correct attester ID URL', () => {
const result = buildAttesterId('octocat', 'hello-world', 'ci.yml')
it('builds correct attester ID URL from workflow ref', () => {
const result = buildAttesterId(
'https://github.com',
'octocat/hello-world/.github/workflows/ci.yml@refs/heads/main'
)
expect(result).toBe(
'https://github.com/octocat/hello-world/.github/workflows/ci.yml'
)
})
it('handles workflow names with spaces', () => {
const result = buildAttesterId('owner', 'repo', 'Build and Test.yml')
it('handles workflow refs with tags', () => {
const result = buildAttesterId(
'https://github.com',
'owner/repo/.github/workflows/release.yml@refs/tags/v1.0.0'
)
expect(result).toBe(
'https://github.com/owner/repo/.github/workflows/Build and Test.yml'
'https://github.com/owner/repo/.github/workflows/release.yml'
)
})
it('handles enterprise server URLs', () => {
const result = buildAttesterId(
'https://github.example.com',
'owner/repo/.github/workflows/build.yml@refs/heads/main'
)
expect(result).toBe(
'https://github.example.com/owner/repo/.github/workflows/build.yml'
)
})
})
Generated Vendored
+11 -4
View File
@@ -58393,13 +58393,17 @@ async function run() {
// Get context for release upload
const { owner, repo } = github.context.repo;
const runId = github.context.runId;
const workflow = github.context.workflow;
const serverUrl = github.context.serverUrl;
const workflowRef = process.env.GITHUB_WORKFLOW_REF;
if (!workflowRef) {
throw new Error('Missing GITHUB_WORKFLOW_REF environment variable');
}
// Upload SBOM to release
core.debug('Uploading SBOM to release');
const octokit = github.getOctokit(token);
const { downloadUrl } = await (0, release_1.uploadSBOMToRelease)(octokit, owner, repo, runId, sbomPath);
// Generate reference predicate
const attesterId = (0, release_1.buildAttesterId)(owner, repo, workflow);
const attesterId = (0, release_1.buildAttesterId)(serverUrl, workflowRef);
const mediaType = (0, reference_1.getMediaType)(sbom.type);
const predicate = (0, reference_1.generateReferencePredicate)({
attesterId,
@@ -58542,8 +58546,11 @@ function generateAssetName(runId, sbomPath) {
const originalName = path_1.default.basename(sbomPath);
return `${runId}-${originalName}`;
}
function buildAttesterId(owner, repo, workflow) {
return `https://github.com/${owner}/${repo}/.github/workflows/${workflow}`;
function buildAttesterId(serverUrl, workflowRef) {
// workflowRef is in the format: owner/repo/.github/workflows/file.yml@refs/heads/branch
// Extract just the owner/repo/.github/workflows/file.yml part
const workflowPath = workflowRef.split('@')[0];
return `${serverUrl}/${workflowPath}`;
}
+7 -2
View File
@@ -27,7 +27,12 @@ export async function run(): Promise<void> {
// Get context for release upload
const { owner, repo } = github.context.repo
const runId = github.context.runId
const workflow = github.context.workflow
const serverUrl = github.context.serverUrl
const workflowRef = process.env.GITHUB_WORKFLOW_REF
if (!workflowRef) {
throw new Error('Missing GITHUB_WORKFLOW_REF environment variable')
}
// Upload SBOM to release
core.debug('Uploading SBOM to release')
@@ -41,7 +46,7 @@ export async function run(): Promise<void> {
)
// Generate reference predicate
const attesterId = buildAttesterId(owner, repo, workflow)
const attesterId = buildAttesterId(serverUrl, workflowRef)
const mediaType = getMediaType(sbom.type)
const predicate = generateReferencePredicate({
attesterId,
+6 -4
View File
@@ -81,9 +81,11 @@ export function generateAssetName(runId: number, sbomPath: string): string {
}
export function buildAttesterId(
owner: string,
repo: string,
workflow: string
serverUrl: string,
workflowRef: string
): string {
return `https://github.com/${owner}/${repo}/.github/workflows/${workflow}`
// workflowRef is in the format: owner/repo/.github/workflows/file.yml@refs/heads/branch
// Extract just the owner/repo/.github/workflows/file.yml part
const workflowPath = workflowRef.split('@')[0]
return `${serverUrl}/${workflowPath}`
}