Fix installer: Add arguments to actions/checkout so that it checks ou… (#319)

* Fix installer: Add arguments to actions/checkout so that it checks out slsa-framework/slsa-verifier instead of the repo using the Action.

Signed-off-by: kpk47 <[email protected]>

* Switch to JS action

* rebuild TS

Signed-off-by: kpk47 <[email protected]>

Author: kpk47

actions/installer/action.yml

@@ -17,32 +17,10 @@ description: 'Installs SLSA verifier and adds it to your PATH'
 branding:
   icon: 'package'
   color: 'blue'
+inputs:
+  github-token:
+    description: 'GitHub token'
+    required: true
 runs:
-  using: 'composite'
-  steps:
-    - name: Checkout
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
-
-    - name: Setup Node.js 16
-      uses: actions/setup-node@969bd2663942d722d85b6a8626225850c2f7be4b # tag=v3.5.0
-      with:
-        node-version: 16
-
-    - name: Install dependencies
-      working-directory: actions/installer
-      shell: bash
-      run: npm ci
-
-    - name: Run build
-      working-directory: actions/installer
-      shell: bash
-      run: npm run build
-
-    - name: Run installer
-      env:
-        ACTION_REF: "${{ github.action_ref }}"
-        TOKEN: "${{ github.token }}"
-        REPOSITORY: "${{ github.repository }}"
-      working-directory: actions/installer/dist
-      shell: bash
-      run: nodejs index.js 
+  using: 'node16'
+  main: 'dist/index.js'

actions/installer/dist/index.js

@@ -81,18 +81,15 @@ function getVerifierVersion(actionRef) {
         // If actionRef is a commit SHA, then find the associated version number.
         const shaRe = /^[a-f\d]{40}$/;
         if (shaRe.test(actionRef)) {
-            const octokit = github.getOctokit(process.env.TOKEN || "");
-            const { data: releases } = yield octokit.request("GET /repos/{repository}/releases", {
-                repository: process.env.REPOSITORY,
+            const octokit = github.getOctokit(core.getInput("github-token"));
+            const { data: tags } = yield octokit.request("GET /repos/{owner}/{repository}/tags", {
+                owner: "slsa-framework",
+                repository: "slsa-verifier",
             });
-            for (const release of releases) {
-                const { data: commit } = yield octokit.request("GET /reps/{repository}/git/ref/tags/{tagName}", {
-                    repository: process.env.REPOSITORY,
-                    tagName: release.tag_name,
-                });
-                const commitSha = commit.object.sha;
+            for (const tag of tags) {
+                const commitSha = tag.commit.sha;
                 if (commitSha === actionRef) {
-                    return release.tag_name;
+                    return tag.name;
                 }
             }
         }
@@ -123,7 +120,7 @@ function cleanup() {
 function run() {
     return __awaiter(this, void 0, void 0, function* () {
         // Get requested verifier version and validate
-        const actionRef = process.env.ACTION_REF || "";
+        const actionRef = process.env.GITHUB_ACTION_REF || "";
         let version;
         try {
             version = yield getVerifierVersion(actionRef);

actions/installer/dist/index.js.map

@@ -11,14 +11,16 @@
     "package": "ncc build --source-map",
     "lint": "eslint src/**/*.ts",
     "build": "npm run compile && npm run package",
+    "start": "node lib/index.js",
     "all": "npm run compile && npm run format && npm run lint && npm run test && npm run package"
   },
   "dependencies": {
     "@actions/core": "^1.9.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^5.0.3",
     "@actions/io": "^1.1.2",
-    "@actions/tool-cache": "^2.0.1"
+    "@actions/tool-cache": "^2.0.1",
+    "nodejs": "^0.0.0"
   },
   "devDependencies": {
     "@types/jasmine": "4.3.0",

actions/installer/package-lock.json

@@ -43,24 +43,18 @@ export async function getVerifierVersion(actionRef: string): Promise<string> {
   // If actionRef is a commit SHA, then find the associated version number.
   const shaRe = /^[a-f\d]{40}$/;
   if (shaRe.test(actionRef)) {
-    const octokit = github.getOctokit(process.env.TOKEN || "");
-    const { data: releases } = await octokit.request(
-      "GET /repos/{repository}/releases",
+    const octokit = github.getOctokit(core.getInput("github-token"));
+    const { data: tags } = await octokit.request(
+      "GET /repos/{owner}/{repository}/tags",
       {
-        repository: process.env.REPOSITORY,
+        owner: "slsa-framework",
+        repository: "slsa-verifier",
       }
     );
-    for (const release of releases) {
-      const { data: commit } = await octokit.request(
-        "GET /reps/{repository}/git/ref/tags/{tagName}",
-        {
-          repository: process.env.REPOSITORY,
-          tagName: release.tag_name,
-        }
-      );
-      const commitSha = commit.object.sha;
+    for (const tag of tags) {
+      const commitSha = tag.commit.sha;
       if (commitSha === actionRef) {
-        return release.tag_name;
+        return tag.name;
       }
     }
   }
@@ -94,7 +88,7 @@ async function cleanup(): Promise<void> {
 
 async function run(): Promise<void> {
   // Get requested verifier version and validate
-  const actionRef = process.env.ACTION_REF || "";
+  const actionRef = process.env.GITHUB_ACTION_REF || "";
   let version: string;
   try {
     version = await getVerifierVersion(actionRef);