Fix installer: Add arguments to actions/checkout so that it checks out slsa-framework/slsa-verifier instead of the repo using the Action.

Signed-off-by: kpk47 <kkris@google.com>

Author: kpk47

actions/installer/action.yml

@@ -20,9 +20,16 @@ branding:
 runs:
   using: 'composite'
   steps:
+    - name: Get Action Ref
+      shell: bash
+      env:
+        ACTION_REF: "${{ github.action_ref }}"
+      run: echo "action_ref=$ACTION_REF" >> $GITHUB_ENV
     - name: Checkout
       uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
-
+      with:
+        repository: "slsa-framework/slsa-verifier"
+        ref: "${{ env.action_ref }}"
     - name: Setup Node.js 16
       uses: actions/setup-node@969bd2663942d722d85b6a8626225850c2f7be4b # tag=v3.5.0
       with:
@@ -45,4 +52,5 @@ runs:
         REPOSITORY: "${{ github.repository }}"
       working-directory: actions/installer/dist
       shell: bash
-      run: nodejs index.js 
+      run: npm start
+      

actions/installer/dist/index.js

@@ -82,17 +82,14 @@ function getVerifierVersion(actionRef) {
         const shaRe = /^[a-f\d]{40}$/;
         if (shaRe.test(actionRef)) {
             const octokit = github.getOctokit(process.env.TOKEN || "");
-            const { data: releases } = yield octokit.request("GET /repos/{repository}/releases", {
-                repository: process.env.REPOSITORY,
+            const { data: tags } = yield octokit.request("GET /repos/{owner}/{repository}/tags", {
+                owner: "slsa-framework",
+                repository: "slsa-verifier",
             });
-            for (const release of releases) {
-                const { data: commit } = yield octokit.request("GET /reps/{repository}/git/ref/tags/{tagName}", {
-                    repository: process.env.REPOSITORY,
-                    tagName: release.tag_name,
-                });
-                const commitSha = commit.object.sha;
+            for (const tag of tags) {
+                const commitSha = tag.commit.sha;
                 if (commitSha === actionRef) {
-                    return release.tag_name;
+                    return tag.name;
                 }
             }
         }

actions/installer/dist/index.js.map

@@ -11,14 +11,16 @@
     "package": "ncc build --source-map",
     "lint": "eslint src/**/*.ts",
     "build": "npm run compile && npm run package",
+    "start": "node lib/index.js",
     "all": "npm run compile && npm run format && npm run lint && npm run test && npm run package"
   },
   "dependencies": {
     "@actions/core": "^1.9.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^5.0.3",
     "@actions/io": "^1.1.2",
-    "@actions/tool-cache": "^2.0.1"
+    "@actions/tool-cache": "^2.0.1",
+    "nodejs": "^0.0.0"
   },
   "devDependencies": {
     "@types/jasmine": "4.3.0",

actions/installer/package-lock.json

@@ -44,23 +44,17 @@ export async function getVerifierVersion(actionRef: string): Promise<string> {
   const shaRe = /^[a-f\d]{40}$/;
   if (shaRe.test(actionRef)) {
     const octokit = github.getOctokit(process.env.TOKEN || "");
-    const { data: releases } = await octokit.request(
-      "GET /repos/{repository}/releases",
+    const { data: tags } = await octokit.request(
+      "GET /repos/{owner}/{repository}/tags",
       {
-        repository: process.env.REPOSITORY,
+        owner: "slsa-framework",
+        repository: "slsa-verifier",
       }
     );
-    for (const release of releases) {
-      const { data: commit } = await octokit.request(
-        "GET /reps/{repository}/git/ref/tags/{tagName}",
-        {
-          repository: process.env.REPOSITORY,
-          tagName: release.tag_name,
-        }
-      );
-      const commitSha = commit.object.sha;
+    for (const tag of tags) {
+      const commitSha = tag.commit.sha;
       if (commitSha === actionRef) {
-        return release.tag_name;
+        return tag.name;
       }
     }
   }