feat: Update ref check for BYOB Actions (#2563)

laurentsimon · web-flow · commit 1b83a6ebe128 · 2023-08-08T23:37:59.000Z
closes #2550 Signed-off-by: laurentsimon <laurentsimon@google.com>
diff --git a/.github/workflows/scripts/pre-release/references.sh b/.github/workflows/scripts/pre-release/references.sh
@@ -82,6 +82,19 @@ if [[ "$results" != "" ]]; then
     exit 1
 fi
 
+# Verify our Actions are referenced by the release tag in BYOB actions.
+results=$(
+    find internal/builders/ -maxdepth 2 -name '*.yaml' -o -name '*.yml' -type f -print0 |
+        xargs -0 grep -Pn "slsa-framework/slsa-github-generator/.*@(?!$RELEASE_TAG)" |
+        sed 's/\(.*:\) *uses:.*\(\/.*\)/\1 [...]\2/' ||
+        true
+)
+if [[ "$results" != "" ]]; then
+    echo "Some Actions are not referenced via the correct release tag \"$RELEASE_TAG\" in BYOB actions"
+    echo "$results"
+    exit 1
+fi
+
 # Verify the Maven Actions use the correct builder ref.
 results=$(
     find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f -print0 |
diff --git a/.github/workflows/scripts/pre-submit.actions/references.sh b/.github/workflows/scripts/pre-submit.actions/references.sh
@@ -58,6 +58,18 @@ if [[ "$results" != "" ]]; then
     exit 1
 fi
 
+# Verify our Actions are referenced at main in BYOB actions.
+results=$(
+    find internal/builders/ -maxdepth 2 -name '*.yaml' -o -name '*.yml' -type f -print0 |
+        xargs -0 grep -P "slsa-framework/slsa-github-generator/.*@(?!main)" ||
+        true
+)
+if [[ "$results" != "" ]]; then
+    echo "Some Actions are not referenced at main in BYOB Actions"
+    echo "$results"
+    exit 1
+fi
+
 # Verify the Maven Actions use the correct builder ref.
 results=$(
     find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f -print0 |
@@ -69,5 +81,3 @@ if [[ "$results" != "" ]]; then
     echo "$results"
     exit 1
 fi
-
-
diff --git a/internal/builders/bazel/action.yml b/internal/builders/bazel/action.yml
@@ -75,7 +75,7 @@ runs:
 
     - name: Generate Artifacts
       id: generate-artifacts
-      uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@v1.8.0
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main
       with:
         name: "${{ steps.rng.outputs.random }}-binaries"
         path: "./bazel_builder_binaries_to_upload_to_gh_7bc972367cb286b7f36ab4457f06e369" # path-to-artifact(s)
