Remove ref for internal action calls (#1075)

* Remove ref for actions and checkout the builder repo instead

* fixes

* update

* pre submits

* update

* update

* update

Author: laurentsimon

.github/actions/generate-builder/action.yml

@@ -33,11 +33,16 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Checkout the Go builder repository
-      uses: slsa-framework/slsa-github-generator/.github/actions/checkout-go@c2e7da4c53f2703d9af77f8d1483078c8fd3477e
+    - name: Checkout builder repository
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}
+        path: __BUILDER_CHECKOUT_DIR__
+
+    - name: Set up Go environment
+      uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # tag=v3.3.0
+      with:
         go-version: ${{ inputs.go-version }}
 
     - name: Generate builder
@@ -59,10 +64,10 @@ runs:
         BUILDER_DIR: "${{ inputs.directory }}"
         # Needed for the gh CLI used in builder-fetch.sh.
         GH_TOKEN: "${{ inputs.token }}"
-      run: ./.github/actions/generate-builder/generate-builder.sh
+      run: ./__BUILDER_CHECKOUT_DIR__/.github/actions/generate-builder/generate-builder.sh
 
     - name: Compute sha256 of builder
-      uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@e3220805577deb9d193f64e519abcb3b50851df5
+      uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/compute-sha256
       id: compute
       with:
         path: "${{ inputs.binary }}"

.github/actions/secure-builder-checkout/action.yaml

@@ -0,0 +1,33 @@
+name: "secure-builder-checkout"
+description: "Checkout the builder repository"
+
+inputs:
+  repository:
+    description: "The repository to check out."
+    required: true
+  ref:
+    description: "The ref to checkout."
+    required: true
+  path:
+    # Same argument to https://github.com/actions/checkout.
+    description: "Relative path under $GITHUB_WORKSPACE to place the repository."
+    required: true
+  token:
+    description: "Token used to fetch the repository."
+    required: false
+    default: ${{ github.token }}
+runs:
+  using: "composite"
+  steps:
+    # TODO(968): verify the hash is on the main branch
+    # and has an associated release. This will require exceptions
+    # for e2e tests.
+    - name: Checkout the repository
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      with:
+        repository: ${{ inputs.repository }}
+        ref: ${{ inputs.ref }}
+        token: ${{ inputs.token }}
+        path: ${{ inputs.path }}
+        persist-credentials: false
+        fetch-depth: 1

.github/actions/secure-checkout/action.yaml

@@ -24,6 +24,16 @@ runs:
       run: |
         set -euo pipefail
 
+        # Check that the name of the path does not clash with the
+        # directory where the builder code is stored.
+        echo "$UNTRUSTED_PATH" | grep __BUILDER_CHECKOUT_DIR__
+        exit_status=$?
+        if [ $exit_status -eq 0 ]; then
+            echo "\"$UNTRUSTED_PATH\" contains '__BUILDER_CHECKOUT_DIR__'"
+            exit 1
+        fi
+
+        # Ensure we don't overwrite existing files.
         if [ -e "$UNTRUSTED_PATH" ]; then
             echo "Path $UNTRUSTED_PATH already exists"
             exit 5
@@ -36,10 +46,13 @@ runs:
 
     - name: Compute the hash
       id: compute
-      uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@e3220805577deb9d193f64e519abcb3b50851df5
+      uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/compute-sha256
       with:
         path: "${{ inputs.path }}"
 
+    # Note: this assumes to top-level re-usable workflow
+    # has checkout'ed the builder repository using
+    # `.github/actions/secure-builder-checkout`.
     - name: Verify the SHA256
       env:
         UNTRUSTED_EXPECTED_HASH: "${{ inputs.sha256 }}"

.github/actions/secure-download-artifact/action.yml

@@ -22,8 +22,11 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Checkout the repository with user SHA
-      uses: slsa-framework/slsa-github-generator/.github/actions/secure-checkout@ea457948e6a989e9818304dcb4f15fb4ce6765d6
+    # Note: this assumes to top-level re-usable workflow
+    # has checkout'ed the builder repository using
+    # `.github/actions/secure-builder-checkout`.
+    - name: Checkout the repository with user ref
+      uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-project-checkout
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}

.github/actions/checkout-go/action.yml renamed to .github/actions/secure-project-checkout-go/action.yml

@@ -22,8 +22,11 @@ inputs:
 runs:
   using: "composite"
   steps:
+    # Note: this assumes to top-level re-usable workflow
+    # has checkout'ed the builder repository using
+    # `.github/actions/secure-builder-checkout`.
     - name: Checkout the repository with user ref
-      uses: slsa-framework/slsa-github-generator/.github/actions/secure-checkout@ea457948e6a989e9818304dcb4f15fb4ce6765d6
+      uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-project-checkout
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}

.github/actions/checkout-node/action.yml renamed to .github/actions/secure-project-checkout-node/action.yml

@@ -0,0 +1,46 @@
+name: "secure-project-checkout"
+description: "Checkout a project and verify its commit sha"
+
+inputs:
+  # the token is not available to actions by defaults, so we need to
+  # share it explicitly. The token is needed to checkout private repositories.
+  token:
+    description: "Token used to fetch the repository."
+    required: false
+    default: ${{ github.token }}
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout the repository
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      with:
+        fetch-depth: 1
+        # Different from default actions/checkout which defaults to `true`.
+        persist-credentials: false
+        token: ${{ inputs.token }}
+
+    - name: Verify commit sha
+      shell: bash
+      env:
+        CONTEXT: "${{ toJSON(github) }}"
+        # Exception for pull requests: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
+        PULL_REQUEST_SHA: "${{ github.event.pull_request.head.sha }}"
+      run: |
+        set -euo pipefail
+
+        git_sha="$(git log -1 --format='%H')"
+        github_sha="$GITHUB_SHA"
+
+        if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
+          github_sha="$PULL_REQUEST_SHA"
+        fi
+
+        if [[ "$git_sha" != "$github_sha" ]]; then
+            echo "mismatch git sha \"$git_sha\" != \"$github_sha\""
+            echo "GitHub context:"
+            echo "$CONTEXT"
+            echo
+            echo "Last 20 commits:"
+            git log -20
+            exit 1
+        fi

.github/actions/secure-project-checkout/action.yaml

@@ -16,9 +16,12 @@ outputs:
 runs:
   using: "composite"
   steps:
+    # Note: this assumes to top-level re-usable workflow
+    # has checkout'ed the builder repository using
+    # `.github/actions/secure-builder-checkout`.
     - name: Compute binary hash
       id: compute-digest
-      uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@e3220805577deb9d193f64e519abcb3b50851df5
+      uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/compute-sha256
       with:
         path: "${{ inputs.path }}"
 

.github/actions/secure-upload-artifact/action.yml

@@ -15,7 +15,8 @@ results=$(
         --include='*.yml' \
         --include='*.yaml' \
         --exclude-dir='node_modules' \
-        --exclude-dir='secure-checkout' \
+        --exclude-dir='secure-project-checkout' \
+        --exclude-dir='secure-builder-checkout' \
         -e 'uses: *actions/checkout' \
         .github/actions/* || true
 )