Merge pull request #1745 from actions/bdehamer/attest-provenance

(@actions/attest) New GHA provenance build type

packages/attest/RELEASES.md

@@ -3,6 +3,7 @@
 ### 1.3.0
 
 - Dynamic construction of Sigstore API URLs
+- Switch to new GH provenance build type
 - Bump @sigstore/bundle from 2.3.0 to 2.3.2
 - Bump @sigstore/sign from 2.3.0 to 2.3.2
 

packages/attest/__tests__/__snapshots__/provenance.test.ts.snap

@@ -4,7 +4,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
 {
   "params": {
     "buildDefinition": {
-      "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+      "buildType": "https://actions.github.io/buildtypes/workflow/v1",
       "externalParameters": {
         "workflow": {
           "path": ".github/workflows/main.yml",
@@ -17,6 +17,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
           "event_name": "push",
           "repository_id": "repo-id",
           "repository_owner_id": "owner-id",
+          "runner_environment": "github-hosted",
         },
       },
       "resolvedDependencies": [
@@ -30,7 +31,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
     },
     "runDetails": {
       "builder": {
-        "id": "https://github.com/actions/runner/github-hosted",
+        "id": "https://github.com/owner/workflows/.github/workflows/publish.yml@main",
       },
       "metadata": {
         "invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",

packages/attest/__tests__/oidc.test.ts

@@ -45,7 +45,8 @@ describe('getIDTokenClaims', () => {
       sha: 'sha',
       repository: 'repo',
       event_name: 'push',
-      workflow_ref: 'main',
+      job_workflow_ref: 'job_workflow_ref',
+      workflow_ref: 'workflow',
       repository_id: '1',
       repository_owner_id: '1',
       runner_environment: 'github-hosted',

packages/attest/__tests__/provenance.test.ts

@@ -23,6 +23,7 @@ describe('provenance functions', () => {
     repository: 'owner/repo',
     ref: 'refs/heads/main',
     sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+    job_workflow_ref: 'owner/workflows/.github/workflows/publish.yml@main',
     workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
     event_name: 'push',
     repository_id: 'repo-id',

packages/attest/src/oidc.ts

@@ -11,6 +11,7 @@ const REQUIRED_CLAIMS = [
   'sha',
   'repository',
   'event_name',
+  'job_workflow_ref',
   'workflow_ref',
   'repository_id',
   'repository_owner_id',

packages/attest/src/provenance.ts

@@ -3,10 +3,7 @@ import {getIDTokenClaims} from './oidc'
 import type {Attestation, Predicate} from './shared.types'
 
 const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
-
-const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'
-const GITHUB_BUILD_TYPE =
-  'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'
+const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
 
 const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
 
@@ -55,7 +52,8 @@ export const buildSLSAProvenancePredicate = async (
           github: {
             event_name: claims.event_name,
             repository_id: claims.repository_id,
-            repository_owner_id: claims.repository_owner_id
+            repository_owner_id: claims.repository_owner_id,
+            runner_environment: claims.runner_environment
           }
         },
         resolvedDependencies: [
@@ -69,7 +67,7 @@ export const buildSLSAProvenancePredicate = async (
       },
       runDetails: {
         builder: {
-          id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}`
+          id: `${serverURL}/${claims.job_workflow_ref}`
         },
         metadata: {
           invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`