feat: update ref (#1086)

* update

* update

* update

* update

* update

.github/actions/README.md

@@ -1,29 +1,37 @@
 # Internal Action Development
 
-## Internal Actions
-Although the Actions are hosted on the same repository, we consider them "external": they are not called via:
+## External Actions
+The following Actions:
+- detect-workflow
+- privacy-check
+- rng
+- secure-builder-checkout
+- generate-builder
+
+are considered "external" even though they are hosted on the same repository: they are not called via:
 
 ```././github/actions/name```
 
 but instead via their "fully-qualified" name:
 
-```slsa-framework/slsa-github-generator/.github/actions/name@hash```. 
+```slsa-framework/slsa-github-generator/.github/actions/name@vX.Y.Z```. 
 
 We do this because the Actions are part of the builder, whereas the workflow runs in the "context" of the calling repository.
 
-## Checkout Rules
-Actions that are called with a copy of the calling repository on disk (`actions/checkout` for the calling repository)
-should *NEVER* "checkout" the builder's repository, because it creates interference with the calling repository
-and is difficult to get right.
-
-In particular, *composite actions* need should not invoke script files stored in the git repository. Only inline scripts are permitted under these rules.
+These Action *MUST* be pinned with the release tag for consistency.
+
+## Internal Actions
+
+Other Actions are called via:
+
+```././github/actions/name```
 
-In general, Actions that need to "checkout" their code should use [Dockerfile](https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action) or [nodejs](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)-type projects "compiled" with [ncc](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action#commit-tag-and-push-your-action-to-github). An example of such an Action
-is the `./github/actions/detect-workflow` Action.
+and always require a checkout of the builder repository before being called.
+The `secure-builder-checkout` is always used to checkout the builder repository
+at `__BUILDER_CHECKOUT_DIR__` location. The `secure-project-checkout-*` checkout
+the project to build at the location `__PROJECT_CHECKOUT_DIR__`.
 
-There is one exception today: the `./github/actions/generate-builder` Action. It "checkouts" its own code and is allowed to do it
-because it does so in a job that never "checkouts" the calling repository. (Note: the code will be migrated to 
-a Dockerfile or nodejs-type projects in the future).
+These Actions are *composite actions*. They invoke scripts and also call other Actions.
 
 ## Development
 

.github/workflows/builder_go_slsa3.yml

@@ -112,7 +112,7 @@ jobs:
     steps:
       - name: Generate builder binary
         id: generate
-        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -145,7 +145,7 @@ jobs:
     needs: [privacy-check, builder, rng]
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -176,8 +176,8 @@ jobs:
 
           # Note: this outputs information about resolved arguments, etc.
           # the values are trusted because the compiler is not invoked.
-          echo "../$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"
-          "../$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"
+          echo "$GITHUB_WORKSPACE/$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"
+          "$GITHUB_WORKSPACE/$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"
 
   ###################################################################
   #                                                                 #
@@ -191,7 +191,7 @@ jobs:
     needs: [privacy-check, builder, build-dry, rng]
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -241,12 +241,12 @@ jobs:
           # Disable set-output command.
           echo "::stop-commands::`echo -n ${{ github.token }} | sha256sum | head -c 64`"
 
-          echo "../$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"
+          echo "$GITHUB_WORKSPACE/$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"
           # Note: We need to provide the asbolute path to the output binary.
           export OUTPUT_BINARY="$PWD/${{ env.GENERATED_BINARY_NAME }}"
-          ../"$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"
+          "$GITHUB_WORKSPACE/$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"
 
-          mv "${{ env.GENERATED_BINARY_NAME }}" "../$UNTRUSTED_BINARY_NAME"
+          mv "${{ env.GENERATED_BINARY_NAME }}" "$GITHUB_WORKSPACE/$UNTRUSTED_BINARY_NAME"
 
       - name: Upload generated binary
         id: upload
@@ -272,7 +272,7 @@ jobs:
       go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -330,7 +330,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"

.github/workflows/builder_node_slsa3.yml

@@ -172,7 +172,7 @@ jobs:
     steps:
       - name: Generate builder
         id: generate
-        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -203,7 +203,7 @@ jobs:
     needs: [privacy-check, builder, rng]
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -229,33 +229,36 @@ jobs:
           set-executable: true
 
       - name: Download dependencies
+        working-directory: __PROJECT_CHECKOUT_DIR__
         env:
           UNTRUSTED_CI_ARGUMENTS: "${{ inputs.ci-arguments }}"
           UNTRUSTED_DIR: ${{ inputs.directory }}"
         run: |
           set -euo pipefail
 
           # npm ci <args>
-          ./"$BUILDER_BINARY" ci \
+          "$GITHUB_WORKSPACE/$BUILDER_BINARY" ci \
             --ci-arguments "$UNTRUSTED_CI_ARGUMENTS" \
             --directory "$UNTRUSTED_DIR"
 
       # TODO(hermeticity) Enable OS-level hermeticity.
 
       - name: Build project
+        working-directory: __PROJECT_CHECKOUT_DIR__
         env:
           UNTRUSTED_RUN_SCRIPTS: "${{ inputs.run-scripts }}"
           UNTRUSTED_DIR: ${{ inputs.directory }}"
         run: |
           set -euo pipefail
 
           # npm run <args>
-          ./"$BUILDER_BINARY" run \
+          "$GITHUB_WORKSPACE/$BUILDER_BINARY" run \
             --run-scripts "$UNTRUSTED_RUN_SCRIPTS" \
             --directory "$UNTRUSTED_DIR"
 
       - name: Create tarball
         id: tarball
+        working-directory: __PROJECT_CHECKOUT_DIR__
         env:
           UNTRUSTED_DIR: ${{ inputs.directory }}"
         run: |
@@ -268,7 +271,7 @@ jobs:
           # files and their hashes, so that we can identify the new file without the need to parse
           # the manifest.json.
           # echo "npm pack --pack-destination="./out"
-          ./"$BUILDER_BINARY" pack \
+          "$GITHUB_WORKSPACE/$BUILDER_BINARY" pack \
             --directory "$UNTRUSTED_DIR"
 
           # cp output into upper folder to make the tarball accessible to
@@ -299,7 +302,7 @@ jobs:
       node-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -356,7 +359,7 @@ jobs:
     needs: [build, provenance]
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -371,6 +374,7 @@ jobs:
           token: ${{ inputs.token }}
           always-auth: ${{ inputs.always-auth }}
           registry-url: ${{ inputs.registry-url }}
+          path: __PROJECT_CHECKOUT_DIR__
 
       - name: Download binary
         uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-download-artifact
@@ -395,12 +399,13 @@ jobs:
           set-executable: true
 
       - name: Publish
+        working-directory: __PROJECT_CHECKOUT_DIR__
         env:
           UNTRUSTED_PUBLISH_ARGUMENTS: "${{ inputs.publish-arguments }}"
         run: |
           set -euo pipefail
 
           # echo "npm publish ${{ inputs.publish-arguments }}"
-          ./"$BUILDER_BINARY" publish \
+          "$GITHUB_WORKSPACE/$BUILDER_BINARY" publish \
             --publish-arguments "$UNTRUSTED_PUBLISH_ARGUMENTS" \
             --directory "$UNTRUSTED_DIR"

.github/workflows/generator_container_slsa3.yml

@@ -91,7 +91,7 @@ jobs:
       packages: write # Needed to login and upload attestations to ghcr.io.
     steps:
       - name: Generate builder
-        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"

.github/workflows/generator_generic_slsa3.yml

@@ -108,7 +108,7 @@ jobs:
       actions: read # Needed to read workflow info.
     steps:
       - name: Generate builder
-        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
@@ -169,7 +169,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
     steps:
       - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"