✨ Allow main branch only for trusted builder and e2e tests repos (#63)

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* Fix unit tests

* unit tests

* updates

* updates

* updates

* updates

* updates

Author: laurentsimon

.github/config-release.yml

@@ -0,0 +1,13 @@
+# Used for pre-submit tests.
+version: 1
+env:
+  - GO111MODULE=on
+  - CGO_ENABLED=0
+
+flags:
+  - -trimpath
+  - -tags=netgo
+
+goos: linux
+goarch: amd64
+binary: slsa-verifier-{{ .Os }}-{{ .Arch }}

.github/workflows/release.yml

@@ -0,0 +1,21 @@
+name: Verifier releaser
+
+on: 
+  # For manual tests.
+  workflow_dispatch:
+  push:
+    tags:
+      - "*" # triggers only if push new tag version, like `0.8.4`.
+
+permissions: read-all
+
+jobs:
+  builder:
+    permissions:
+      id-token: write # For signing.
+      contents: write # For asset uploads.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      go-version: 1.18
+      config-file: .github/config-release.yml
+      compile-builder: true

main_test.go

@@ -4,9 +4,10 @@ import (
 	"errors"
 	"testing"
 
+	"github.com/slsa-framework/slsa-verifier/pkg"
+
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
-	pkg "github.com/slsa-framework/slsa-verifier/pkg"
 )
 
 func errCmp(e1, e2 error) bool {
@@ -31,259 +32,260 @@ func Test_runVerify(t *testing.T) {
 		{
 			name:     "valid main branch default",
 			artifact: "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:   "github.com/asraa/slsa-on-github-test",
+			source:   "github.com/laurentsimon/slsa-verifier-test-gen",
 		},
 		{
 			name:     "valid main branch set",
 			artifact: "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:   "github.com/asraa/slsa-on-github-test",
+			source:   "github.com/laurentsimon/slsa-verifier-test-gen",
 			branch:   "main",
 		},
 		{
 			name:     "wrong branch master",
 			artifact: "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:   "github.com/asraa/slsa-on-github-test",
+			source:   "github.com/laurentsimon/slsa-verifier-test-gen",
 			branch:   "master",
 			err:      pkg.ErrorMismatchBranch,
 		},
 		{
 			name:     "wrong source append A",
 			artifact: "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:   "github.com/asraa/slsa-on-github-testA",
+			source:   "github.com/laurentsimon/slsa-verifier-test-genA",
 			err:      pkg.ErrorMismatchRepository,
 		},
 		{
 			name:     "wrong source prepend A",
 			artifact: "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:   "Agithub.com/asraa/slsa-on-github-test",
+			source:   "Agithub.com/laurentsimon/slsa-verifier-test-gen",
 			err:      pkg.ErrorMismatchRepository,
 		},
 		{
 			name:     "wrong source middle A",
 			artifact: "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:   "github.com/Aasraa/slsa-on-github-test",
+			source:   "github.com/Alaurentsimon/slsa-verifier-test-gen",
 			err:      pkg.ErrorMismatchRepository,
 		},
 		{
 			name:     "tag no match empty tag workflow_dispatch",
 			artifact: "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:   "github.com/asraa/slsa-on-github-test",
+			source:   "github.com/laurentsimon/slsa-verifier-test-gen",
 			ptag:     pString("v1.2.3"),
 			err:      pkg.ErrorMismatchTag,
 		},
 		{
 			name:        "versioned tag no match empty tag workflow_dispatch",
 			artifact:    "./testdata/binary-linux-amd64-workflow_dispatch",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1"),
 			err:         pkg.ErrorInvalidSemver,
 		},
 		{
 			name:     "tag v1.2.3 no match v1.2.4",
 			artifact: "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:   "github.com/asraa/slsa-on-github-test",
+			source:   "github.com/laurentsimon/slsa-verifier-test-gen",
 			ptag:     pString("v1.2.3"),
 			err:      pkg.ErrorMismatchTag,
 		},
 		{
 			name:     "tag v1.2 no match v1.2.4",
 			artifact: "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:   "github.com/asraa/slsa-on-github-test",
+			source:   "github.com/laurentsimon/slsa-verifier-test-gen",
 			ptag:     pString("v1.2"),
 			err:      pkg.ErrorMismatchTag,
 		},
 		{
 			name:     "tag v1 no match v1.2.4",
 			artifact: "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:   "github.com/asraa/slsa-on-github-test",
+			source:   "github.com/laurentsimon/slsa-verifier-test-gen",
 			ptag:     pString("v1"),
 			err:      pkg.ErrorMismatchTag,
 		},
 		// Provenance contains tag = v1.2.4.
 		{
 			name:        "versioned v1.2.4 match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1.2.4"),
 		},
 		{
 			name:        "versioned v1.2 match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1.2"),
 		},
 		{
 			name:        "versioned v1 match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1"),
 		},
 		{
 			name:        "versioned v2 no match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v0 no match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v0"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v1.3 no match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1.3"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v1.1 no match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1.1"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v1.2.3 no match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1.2.3"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v1.2.5 no match push-v1.2.4",
 			artifact:    "./testdata/binary-linux-amd64-push-v1.2.4",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1.2.5"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		// Provenance contains tag = v2.
 		{
 			name:        "versioned v2 match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2"),
 		},
 		{
 			name:        "versioned v2.0 match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.0"),
 		},
 		{
 			name:        "versioned v2.1 no match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.1"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v1 no match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v3 no match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v3"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v1.2 no match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1.2"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v3 no match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v3"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v0 no match push-v2",
 			artifact:    "./testdata/binary-linux-amd64-push-v2",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v0"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		// Provenance contains tag = v2.5.
 		{
 			name:        "versioned v2.5 match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.5"),
 		},
 		{
 			name:        "versioned v2.5.1 match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.5.1"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v2.5.3 match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.5.3"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v2 match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2"),
 		},
 		{
 			name:        "versioned v2.4 no match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.4"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v2.4.1 no match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.4.1"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v2.4.5 no match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v2.4.5"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v1 no match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v1"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v3 no match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v3"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
 		{
 			name:        "versioned v3.1 no match push-v2.5",
 			artifact:    "./testdata/binary-linux-amd64-push-v2.5",
-			source:      "github.com/asraa/slsa-on-github-test",
+			source:      "github.com/laurentsimon/slsa-verifier-test-gen",
 			pversiontag: pString("v3.1"),
 			err:         pkg.ErrorMismatchVersionedTag,
 		},
+		// TODO(laurent): add tests for special cases of buidlers' ref.
 	}
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below