Get repository, ref via Github API

[ianlewis]

Currently we have to have special case code to run e2e tests in pull requests due to #131. I'd like to get rid of that code so that pull requests run normally.

I want to see if I can't get the repository and ref via the Github API rather than by creating an OIDC token. Creating an OIDC token requires id-token scope which is not normally given to workflows triggered by the pull_request event.

This wouldn't allow us to sign using sigstore's Github provider, but it would at least solve the problem of getting the reusable workflow repo and ref.

[laurentsimon]

This was done and can be closed?

[ianlewis]

No, this is just an idea I had that I wanted to get the repo and ref via the GitHub API instead of by using job_workflow_ref an OIDC token. I'm not sure it's really possible. It's more of a refactor than a feature and it's not really high priority.

[laurentsimon]

ho right, my bad.

[asraa]

Update here: detect-workflow-js works this way so the remaining item here is to (after ensuring some stability in that new action) to deprecate detect-workflow and replace with detect-workflow-js

[ianlewis]

The old detect-workflow action was removed in #1988 and detect-workflow-js does this already. Closing.

slsa-github-generator/.github/actions/detect-workflow-js/src/main.ts

Lines 42 to 60 in f8e4706

	if (
	process.env.ACTIONS_ID_TOKEN_REQUEST_URL &&
	process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN &&
	process.env.GITHUB_EVENT_NAME !== "pull_request" &&
	process.env.GITHUB_EVENT_NAME !== "merge_group"
	) {
	// Use the OIDC token when available.
	const aud = path.join(repoName, "detect-workflow-js");
	[repository, ref, workflow] = await detectWorkflowFromOIDC(aud);
	} else {
	// Otherwise, try to use the referenced workflows from the current workflow run.
	core.info(
	"Failed to retrieve OIDC token. This may be due to missing id-token: write permissions.",
	);
	[repository, ref, workflow] = await detectWorkflowFromContext(
	repoName,
	token,
	);
	}

[github-actions]

This issue was reopened by the todo-issue-reopener action in the "TODO Issue Reopener" GitHub Actions workflow because there are TODOs referencing this issue:

1. internal/builders/container/generate.go:55: Remove
2. internal/builders/container/generate.go:63: Remove
3. internal/builders/generic/attest.go:87: Remove
4. internal/builders/generic/attest.go:95: Remove
5. internal/builders/go/pkg/provenance.go:129: Remove
6. internal/builders/go/pkg/provenance.go:139: Remove
7. internal/builders/go/pkg/provenance_test.go:26: Remove

[ianlewis]

So I think the issue is that this is fixed for detect-workflow-js but we only use that for our pre-BYOB builders/generators that were written in Go in order to detect which repo/ref to checkout in order to build the builder binary for pre-submits/e2e tests.

We still need to update the pre-BYOB builder code itself to clean up how we deal with pre-submits and e2e tests.