feat: Use tags vX.Y.Z-<language> for JReleaser builders (#644)

laurentsimon · web-flow · commit c6d12b745c52 · 2023-07-10T16:42:48.000Z
Signed-off-by: laurentsimon &lt;laurentsimon@google.com&gt;
diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go
@@ -15,11 +15,12 @@ import (
 )
 
 var (
-	trustedBuilderRepository = "slsa-framework/slsa-github-generator"
-	e2eTestRepository        = "slsa-framework/example-package"
-	certOidcIssuer           = "https://token.actions.githubusercontent.com"
-	githubCom                = "github.com/"
-	httpsGithubCom           = "https://" + githubCom
+	trustedBuilderRepository  = "slsa-framework/slsa-github-generator"
+	e2eTestRepository         = "slsa-framework/example-package"
+	jReleaserActionRepository = "jreleaser/release-action"
+	certOidcIssuer            = "https://token.actions.githubusercontent.com"
+	githubCom                 = "github.com/"
+	httpsGithubCom            = "https://" + githubCom
 	// This is used in cosign's CheckOpts for validating the certificate. We
 	// do specific builder verification after this.
 	certSubjectRegexp = httpsGithubCom + "*"
@@ -40,6 +41,8 @@ var defaultBYOBReusableWorkflows = map[string]bool{
 	common.GenericLowPermsDelegatorBuilderID: true,
 }
 
+var JReleaserRepository = httpsGithubCom + jReleaserActionRepository
+
 // VerifyCertficateSourceRepository verifies the source repository.
 func VerifyCertficateSourceRepository(id *WorkflowIdentity,
 	sourceRepo string,
diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
@@ -261,6 +261,12 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 	if len(parts) != 2 {
 		return fmt.Errorf("%w: %s", serrors.ErrorInvalidBuilderID, id)
 	}
+
+	// Exception for JReleaser builders.
+	// See https://github.com/slsa-framework/slsa-github-generator/issues/2035#issuecomment-1579963802.
+	if strings.HasPrefix(parts[0], JReleaserRepository) {
+		return utils.IsValidJreleaserBuilderTag(parts[1])
+	}
 	return utils.IsValidBuilderTag(parts[1], false)
 }
 
diff --git a/verifiers/utils/builder.go b/verifiers/utils/builder.go
@@ -150,3 +150,26 @@ func IsValidBuilderTag(ref string, testing bool) error {
 	}
 	return nil
 }
+
+func IsValidJreleaserBuilderTag(ref string) error {
+	// Extract the pin.
+	pin, err := TagFromGitRef(ref)
+	if err != nil {
+		return err
+	}
+
+	// Valid semver of the form vX.Y.Z-<language> with no metadata.
+	// NOTE: When adding a language, update the corresponding
+	// unit test.
+	languages := map[string]bool{
+		"-java": true,
+	}
+	_, validLanguage := languages[semver.Prerelease(pin)]
+	if !semver.IsValid(pin) ||
+		len(strings.Split(pin, ".")) != 3 ||
+		!validLanguage ||
+		semver.Build(pin) != "" {
+		return fmt.Errorf("%w: %s: not of the form vX.Y.Z-<language>", serrors.ErrorInvalidRef, pin)
+	}
+	return nil
+}
diff --git a/verifiers/utils/builder_test.go b/verifiers/utils/builder_test.go
@@ -672,11 +672,6 @@ func Test_IsValidBuilderTag(t *testing.T) {
 			ref:  "refs/tags/v1",
 			err:  serrors.ErrorInvalidRef,
 		},
-		{
-			name: "valid semver: no minor",
-			ref:  "refs/tags/v1",
-			err:  serrors.ErrorInvalidRef,
-		},
 		{
 			name: "valid semver: pre-release",
 			ref:  "refs/tags/v1.2.3-rc.0",
@@ -770,3 +765,63 @@ func Test_IsValidBuilderTag(t *testing.T) {
 		})
 	}
 }
+
+func Test_IsValidJreleaserBuilderTag(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name string
+		ref  string
+		err  error
+	}{
+		{
+			name: "valid full semver and language",
+			ref:  "refs/tags/v1.2.3-java",
+		},
+		{
+			name: "valid semver: no patch",
+			ref:  "refs/tags/v1.2-java",
+			err:  serrors.ErrorInvalidRef,
+		},
+		{
+			name: "valid semver: no minor",
+			ref:  "refs/tags/v1-java",
+			err:  serrors.ErrorInvalidRef,
+		},
+		{
+			name: "valid semver: pre-release",
+			ref:  "refs/tags/v1.2.3-rc.0+java",
+			err:  serrors.ErrorInvalidRef,
+		},
+		{
+			name: "valid semver: pre-release w/ build",
+			ref:  "refs/tags/v1.2.3-rc.0+build1",
+			err:  serrors.ErrorInvalidRef,
+		},
+		{
+			name: "valid semver: build",
+			ref:  "refs/tags/v1.2.3-java+build1",
+			err:  serrors.ErrorInvalidRef,
+		},
+		{
+			name: "invalid semver",
+			ref:  "refs/tags/1.2.3-java",
+			err:  serrors.ErrorInvalidRef,
+		},
+		{
+			name: "invalid ref",
+			ref:  "refs/v1.2.3-java",
+			err:  serrors.ErrorInvalidRef,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			err := IsValidJreleaserBuilderTag(tt.ref)
+			if !cmp.Equal(err, tt.err, cmpopts.EquateErrors()) {
+				t.Errorf(cmp.Diff(err, tt.err))
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,12 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {`
`261`	`261`	`if len(parts) != 2 {`
`262`	`262`	`return fmt.Errorf("%w: %s", serrors.ErrorInvalidBuilderID, id)`
`263`	`263`	`}`
	`264`	`+`
	`265`	`+ // Exception for JReleaser builders.`
	`266`	`+ // See https://github.com/slsa-framework/slsa-github-generator/issues/2035#issuecomment-1579963802.`
	`267`	`+ if strings.HasPrefix(parts[0], JReleaserRepository) {`
	`268`	`+ return utils.IsValidJreleaserBuilderTag(parts[1])`
	`269`	`+ }`
`264`	`270`	`return utils.IsValidBuilderTag(parts[1], false)`
`265`	`271`	`}`
`266`	`272`