@@ -625,6 +625,20 @@ func getAsString(environment map[string]interface{}, field string) (string, erro
625625 return i , nil
626626}
627627
628+ func getEventPayload (environment map [string ]interface {}) (map [string ]interface {}, error ) {
629+ eventPayload , ok := environment ["github_event_payload" ]
630+ if ! ok {
631+ return nil , fmt .Errorf ("%w: %s" , ErrorInvalidDssePayload , "parameters type event payload" )
632+ }
633+
634+ payload , ok := eventPayload .(map [string ]interface {})
635+ if ! ok {
636+ return nil , fmt .Errorf ("%w: %s" , ErrorInvalidDssePayload , "parameters type payload" )
637+ }
638+
639+ return payload , nil
640+ }
641+
628642func getBaseRef (environment map [string ]interface {}) (string , error ) {
629643 baseRef , err := getAsString (environment , "github_base_ref" )
630644 if err != nil {
@@ -638,7 +652,7 @@ func getBaseRef(environment map[string]interface{}) (string, error) {
638652
639653 // Look at the event payload instead.
640654 // We don't do that for all triggers because the payload
641- // is event-specific; and only the `push` event seems to have a `base_ref`` .
655+ // is event-specific; and only the `push` event seems to have a `base_ref`.
642656 eventName , err := getAsString (environment , "github_event_name" )
643657 if err != nil {
644658 return "" , err
@@ -648,17 +662,57 @@ func getBaseRef(environment map[string]interface{}) (string, error) {
648662 return "" , nil
649663 }
650664
651- eventPayload , ok := environment ["github_event_payload" ]
665+ payload , err := getEventPayload (environment )
666+ if err != nil {
667+ return "" , err
668+ }
669+
670+ return getAsString (payload , "base_ref" )
671+ }
672+
673+ func getTargetCommittish (environment map [string ]interface {}) (string , error ) {
674+ eventName , err := getAsString (environment , "github_event_name" )
675+ if err != nil {
676+ return "" , err
677+ }
678+
679+ if eventName != "release" {
680+ return "" , nil
681+ }
682+
683+ payload , err := getEventPayload (environment )
684+ if err != nil {
685+ return "" , err
686+ }
687+
688+ // For a release event, we look for release.target_commitish.
689+ releasePayload , ok := payload ["release" ]
652690 if ! ok {
653- return "" , fmt .Errorf ("%w: %s" , ErrorInvalidDssePayload , "parameters type event payload" )
691+ return "" , fmt .Errorf ("%w: %s" , ErrorInvalidDssePayload , "release absent from payload" )
654692 }
655693
656- payload , ok := eventPayload .(map [string ]interface {})
694+ release , ok := releasePayload .(map [string ]interface {})
657695 if ! ok {
658- return "" , fmt .Errorf ("%w: %s" , ErrorInvalidDssePayload , "parameters type payload " )
696+ return "" , fmt .Errorf ("%w: %s" , ErrorInvalidDssePayload , "parameters type releasePayload " )
659697 }
660698
661- return getAsString (payload , "base_ref" )
699+ branch , err := getAsString (release , "target_commitish" )
700+ if err != nil {
701+ return "" , fmt .Errorf ("%w: %s" , err , "target_commitish not present" )
702+ }
703+
704+ return "refs/heads/" + branch , nil
705+ }
706+
707+ func getBranchForTag (environment map [string ]interface {}) (string , error ) {
708+ // First try the base_ref.
709+ branch , err := getBaseRef (environment )
710+ if branch != "" || err != nil {
711+ return branch , err
712+ }
713+
714+ // Second try the target comittish.
715+ return getTargetCommittish (environment )
662716}
663717
664718// Get tag from the provenance invocation parameters.
@@ -720,7 +774,7 @@ func getBranch(env *dsselib.Envelope) (string, error) {
720774 case "branch" :
721775 return getAsString (environment , "github_ref" )
722776 case "tag" :
723- return getBaseRef (environment )
777+ return getBranchForTag (environment )
724778 default :
725779 return "" , fmt .Errorf ("%w: %s %s" , ErrorInvalidDssePayload ,
726780 "unknown ref type" , refType )
0 commit comments