Drop commit verify from tag hygiene (#212)

puerco · web-flow · commit 99feeefe1f01 · 2025-06-22T14:18:06.000-06:00
This drops the commit time verification from the tag hygiene check
to be able to check it without requiring a commit. As the control
status object now checks the commit time, we can drop the logic from
the control reader.

Signed-off-by: Adolfo García Veytia (Puerco) &lt;puerco@carabiner.dev&gt;
diff --git a/sourcetool/pkg/ghcontrol/checklevel.go b/sourcetool/pkg/ghcontrol/checklevel.go
@@ -131,7 +131,7 @@ func enforcesTagHygiene(ruleset *github.RepositoryRuleset) bool {
 	return false
 }
 
-func (ghc *GitHubConnection) computeTagHygieneControl(ctx context.Context, _ string, allRulesets []*github.RepositoryRuleset, activityTime *time.Time) (*slsa.Control, error) {
+func (ghc *GitHubConnection) computeTagHygieneControl(ctx context.Context, allRulesets []*github.RepositoryRuleset) (*slsa.Control, error) {
 	var validRuleset *github.RepositoryRuleset
 	for _, ruleset := range allRulesets {
 		if *ruleset.Target != github.RulesetTargetTag {
@@ -161,11 +161,6 @@ func (ghc *GitHubConnection) computeTagHygieneControl(ctx context.Context, _ str
 		return nil, nil
 	}
 
-	// Check that the commit was created after this rule was enabled.
-	if activityTime.Before(validRuleset.UpdatedAt.Time) {
-		return nil, nil
-	}
-
 	return &slsa.Control{Name: slsa.TagHygiene, Since: validRuleset.UpdatedAt.Time}, nil
 }
 
@@ -286,7 +281,7 @@ func (ghc *GitHubConnection) GetBranchControls(ctx context.Context, commit, ref
 	if err != nil {
 		return nil, err
 	}
-	TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, commit, allRulesets, &activity.Timestamp)
+	TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, allRulesets)
 	if err != nil {
 		return nil, fmt.Errorf("could not populate TagHygieneControl: %w", err)
 	}
@@ -303,13 +298,14 @@ func (ghc *GitHubConnection) GetTagControls(ctx context.Context, commit, ref str
 
 	allRulesets, _, err := ghc.Client().Repositories.GetAllRulesets(ctx, ghc.Owner(), ghc.Repo(), true)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("getting repository rules from API: %w", err)
 	}
-	TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, commit, allRulesets, &controlStatus.CommitPushTime)
+
+	TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, allRulesets)
 	if err != nil {
 		return nil, fmt.Errorf("could not populate TagHygieneControl: %w", err)
 	}
-	controlStatus.Controls.AddControl(TagHygieneControl)
+	controlStatus.AddControl(TagHygieneControl)
 
 	return &controlStatus, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ func enforcesTagHygiene(ruleset *github.RepositoryRuleset) bool {`
`131`	`131`	`return false`
`132`	`132`	`}`
`133`	`133`
`134`		`-func (ghc GitHubConnection) computeTagHygieneControl(ctx context.Context, _ string, allRulesets []github.RepositoryRuleset, activityTime time.Time) (slsa.Control, error) {`
	`134`	`+func (ghc GitHubConnection) computeTagHygieneControl(ctx context.Context, allRulesets []github.RepositoryRuleset) (*slsa.Control, error) {`
`135`	`135`	`var validRuleset *github.RepositoryRuleset`
`136`	`136`	`for _, ruleset := range allRulesets {`
`137`	`137`	`if *ruleset.Target != github.RulesetTargetTag {`
`@@ -161,11 +161,6 @@ func (ghc *GitHubConnection) computeTagHygieneControl(ctx context.Context, _ str`
`161`	`161`	`return nil, nil`
`162`	`162`	`}`
`163`	`163`
`164`		`- // Check that the commit was created after this rule was enabled.`
`165`		`- if activityTime.Before(validRuleset.UpdatedAt.Time) {`
`166`		`- return nil, nil`
`167`		`- }`
`168`		`-`
`169`	`164`	`return &slsa.Control{Name: slsa.TagHygiene, Since: validRuleset.UpdatedAt.Time}, nil`
`170`	`165`	`}`
`171`	`166`
`@@ -286,7 +281,7 @@ func (ghc *GitHubConnection) GetBranchControls(ctx context.Context, commit, ref`
`286`	`281`	`if err != nil {`
`287`	`282`	`return nil, err`
`288`	`283`	`}`
`289`		`- TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, commit, allRulesets, &activity.Timestamp)`
	`284`	`+ TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, allRulesets)`
`290`	`285`	`if err != nil {`
`291`	`286`	`return nil, fmt.Errorf("could not populate TagHygieneControl: %w", err)`
`292`	`287`	`}`
`@@ -303,13 +298,14 @@ func (ghc *GitHubConnection) GetTagControls(ctx context.Context, commit, ref str`
`303`	`298`
`304`	`299`	`allRulesets, _, err := ghc.Client().Repositories.GetAllRulesets(ctx, ghc.Owner(), ghc.Repo(), true)`
`305`	`300`	`if err != nil {`
`306`		`- return nil, err`
	`301`	`+ return nil, fmt.Errorf("getting repository rules from API: %w", err)`
`307`	`302`	`}`
`308`		`- TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, commit, allRulesets, &controlStatus.CommitPushTime)`
	`303`	`+`
	`304`	`+ TagHygieneControl, err := ghc.computeTagHygieneControl(ctx, allRulesets)`
`309`	`305`	`if err != nil {`
`310`	`306`	`return nil, fmt.Errorf("could not populate TagHygieneControl: %w", err)`
`311`	`307`	`}`
`312`		`- controlStatus.Controls.AddControl(TagHygieneControl)`
	`308`	`+ controlStatus.AddControl(TagHygieneControl)`
`313`	`309`
`314`	`310`	`return &controlStatus, nil`
`315`	`311`	`}`