Update workflow PR (#220)

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

sourcetool/cmd/status.go

@@ -58,9 +58,17 @@ command is intended to help maintainers implementing SLSA controls
 understand the next steps to secure their repos and progress in their
 SLSA journey. 
 `,
-		Use:           "status",
+		Use:           "status [flags] owner/repo@branch",
 		SilenceUsage:  false,
 		SilenceErrors: true,
+		Example: `Check the SLSA tooling status on a repository:
+sourcetool status myorg/myrepo
+
+A branch other than the default can be specified by appending it to
+the repository slug:
+
+sourcetool status myorg/myrepo@mybranch
+`,
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) > 0 {
 				if err := opts.ParseLocator(args[0]); err != nil {
@@ -116,7 +124,10 @@ SLSA journey.
 			// Compute the maximum level possible:
 			toplevel := policy.ComputeEligibleSlsaLevel(controls)
 
-			title := fmt.Sprintf("SLSA Source Status for %s/%s", opts.owner, opts.repository)
+			title := fmt.Sprintf(
+				"SLSA Source Status for %s/%s@%s", opts.owner, opts.repository,
+				ghcontrol.BranchToFullRef(opts.branch),
+			)
 			fmt.Printf("")
 			fmt.Println(w(title))
 			fmt.Println(strings.Repeat("=", len(title)))

sourcetool/pkg/sourcetool/implementation.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -29,23 +30,33 @@ const (
 
 	workflowPath   = ".github/workflows/compute_slsa_source.yaml"
 	workflowSource = "git+https://github.com/slsa-"
+
+	// workflowCommitMessage will be used as the commit message and the PR title
+	workflowCommitMessage = "Add SLSA Source Provenance Workflow"
+
+	// workflowPRBody is the body of the pull request that adds the provenance workflow
+	workflowPRBody = `This pull request adds a new workflow to the repository to generate ` +
+		`[SLSA](https://slsa.dev/) Source provenance data on every push.` + "\n\n" +
+		`Every time a new commit merges to the specified branch, attestations will ` +
+		`be automatically signed and stored in git notes in this repository.` + "\n\n" +
+		`Note: This is an automated PR created using the ` +
+		`[SLSA sourcetool](https://github.com/slsa-framework/slsa-source-poc) utility.` + "\n"
 )
 
 // TODO(puerco): Read this from latest version on the repository
-var workflowData = `# SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
-# SPDX-License-Identifier: Apache-2.0
----
+var workflowData = `---
 name: SLSA Source
 on:
   push:
     branches: [ %q ]
+permissions: {}
 
 jobs:
   # Whenever new source is pushed recompute the slsa source information.
-  check-change:
+  generate-provenance:
     permissions:
       contents: write # needed for storing the vsa in the repo.
-      id-token: write
+      id-token: write # meeded to mint yokens for signing
     uses: slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@main
 `
 
@@ -68,15 +79,19 @@ type defaultToolImplementation struct{}
 func (impl *defaultToolImplementation) GetActiveControls(opts *Options) (slsa.Controls, error) {
 	ctx := context.Background()
 
-	ghc, err := opts.GetGitHubConnection()
-	if err != nil {
-		return nil, fmt.Errorf("getting GitHub connection: %w", err)
+	if err := opts.EnsureBranch(); err != nil {
+		return nil, err
 	}
 
-	if err := opts.EnsureBranch(); err != nil {
+	if err := opts.EnsureCommit(); err != nil {
 		return nil, err
 	}
 
+	ghc, err := opts.GetGitHubConnection()
+	if err != nil {
+		return nil, fmt.Errorf("getting GitHub connection: %w", err)
+	}
+
 	// Get the active controls
 	activeControls, err := ghc.GetBranchControls(ctx, ghcontrol.BranchToFullRef(opts.Branch))
 	if err != nil {
@@ -92,12 +107,14 @@ func (impl *defaultToolImplementation) GetActiveControls(opts *Options) (slsa.Co
 	// Fetch the attestation. If found, then add the control:
 	attestation, _, err := attestor.GetProvenance(ctx, opts.Commit, ghcontrol.BranchToFullRef(opts.Branch))
 	if err != nil {
-		return nil, fmt.Errorf("attempting to read provenance from commit: %w", err)
+		return nil, fmt.Errorf("attempting to read provenance from commit %q: %w", opts.Commit, err)
 	}
 	if attestation != nil {
 		activeControls.AddControl(&slsa.Control{
 			Name: slsa.ProvenanceAvailable,
 		})
+	} else {
+		log.Printf("No provenance attestation found on %s", opts.Commit)
 	}
 
 	return *activeControls, nil
@@ -282,10 +299,8 @@ func (impl *defaultToolImplementation) CreateWorkflowPR(opts *Options) error {
 		return fmt.Errorf("adding workflow file to staging area: %w", err)
 	}
 
-	commitMessage := "Add SLSA Source attesting workflow"
-
 	// Create the commit
-	if err := repo.UserCommit(commitMessage); err != nil {
+	if err := repo.UserCommit(workflowCommitMessage); err != nil {
 		return fmt.Errorf("committing changes to workflow: %w", err)
 	}
 
@@ -295,14 +310,11 @@ func (impl *defaultToolImplementation) CreateWorkflowPR(opts *Options) error {
 		return fmt.Errorf("pushing %s to %s/%s: %w", kgithub.UserForkName, userForkOrg, userForkRepo, err)
 	}
 
-	prBody := `This pull request adds a workflow to the repository to attest the
-SLSA Source compliance on every push.
-`
 	// Create the Pull Request
 	pr, err := gh.CreatePullRequest(
 		opts.Owner, opts.Repo, opts.Branch,
 		fmt.Sprintf("%s:%s", userForkOrg, branchname),
-		commitMessage, prBody, false,
+		workflowCommitMessage, workflowPRBody, false,
 	)
 	if err != nil {
 		return fmt.Errorf("creating the pull request in %s: %w", opts.Owner, err)

sourcetool/pkg/sourcetool/tool.go

@@ -118,7 +118,7 @@ func (t *Tool) ConfigureControls(configs []ControlConfiguration, funcs ...ooFn)
 			}
 		case CONFIG_POLICY:
 			if err := t.impl.CheckPolicyFork(&opts); err != nil {
-				return fmt.Errorf("checking policy repo fork")
+				return fmt.Errorf("checking policy repo fork: %w", err)
 			}
 			if err := t.impl.CreatePolicyPR(&opts); err != nil {
 				return fmt.Errorf("opening the policy pull request: %w", err)