@@ -84,33 +84,35 @@ runs:
8484 }
8585 validate_path "${UNTRUSTED_PROJECT_ROOT}"
8686 # remove trailing "/"'s with `realpath`
87- project_root=$(realpath "${UNTRUSTED_PROJECT_ROOT}")
87+ project_root=$(realpath -e "${UNTRUSTED_PROJECT_ROOT}")
88+
89+ # output the validated project root for later steps
90+ echo "validated_project_root=${project_root}" >> "${GITHUB_OUTPUT}"
8891
8992 cd "${project_root}" \
9093 && ./gradlew build -x test
9194
9295name : Put release artifacts in one directory
96+ id : collect_release_artifacts
9397 shell : bash
9498 env :
9599 SLSA_OUTPUTS_ARTIFACTS_FILE : ${{ inputs.slsa-layout-file }}
96100 UNTRUSTED_ARTIFACT_LIST : ${{ fromJson(inputs.slsa-workflow-inputs).artifact-list }}
97- PROJECT_ROOT : ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
101+ PROJECT_ROOT : ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
98102 run : |
99103 cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/collect_release_artifacts.sh
100104name : Make outputs
101105 id : make-outputs
102106 shell : bash
103107 env :
104108 SLSA_OUTPUTS_ARTIFACTS_FILE : ${{ inputs.slsa-layout-file }}
105- PROJECT_ROOT : ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
109+ PROJECT_ROOT : ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
106110 run : |
107111 cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/create_attestation.sh
108112name : Move build dir to avoid making it a sub-dir when uploading
109113 shell : bash
110114 env :
111- # PROJECT_ROOT is generally untrusted, but the builder has validated
112- # it in the 'Run gradle builder' step and is therefore trusted now.
113- PROJECT_ROOT : ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
115+ PROJECT_ROOT : ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
114116 run : |
115117 mv "${PROJECT_ROOT}"/build "${GITHUB_WORKSPACE}"/
116118name : Upload build dir
0 commit comments