[bug] Generic workflow fails on repositories that don't use Go

[behnazh-w]

Describe the bug
If I understand correctly the generic workflow is meant to generate provenance for any language as long as the encoded hash digest of the built artifact is provided as input. However, when I try it on a repository that doesn't use Go (e.g., uses Python) it fails because it tries to download the Go module dependencies.

slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

Lines 71 to 88 in 668a339

	- name: Checkout the repository
	uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
	with:
	fetch-depth: 1
	repository: "${{ needs.detect-env.outputs.repository }}"
	ref: "${{ needs.detect-env.outputs.ref }}"
	- name: Set up golang environment
	uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
	with:
	go-version: 1.18
	- name: Download dependencies
	shell: bash
	run: |
	set -euo pipefail
	#TODO(reproducible)
	go mod vendor

Why does the workflow need to download Go modules of the target repository? Please let me know if I'm missing something.

To Reproduce
Run the generic workflow on a repo that doen't use Go.

Screenshots

[laurentsimon]

The code you linked is to build the builder, not the project.
Here's an e2e test that succeeds https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic-bazel.push.main.default.slsa3.yml#L27-L66

Maybe you're using a trigger we have not tested yet. Can you link to a workflow you use to call the generic workflow?

[behnazh-w]

Here is the example workflow that fails.

The code you linked is to build the builder, not the project.

Note that my example repo is resolved here at the checkout step.

[ianlewis]

Hi again @behnazh-w! Thanks for the bug report and for the links. Those were super helpful for figuring out what happened.

This is caused by the fact that we don't support the pull_request trigger for Github Actions. See the docs for the generic workflow. Supporting it is kind of difficult for permissions related issues. Relevant GitHub issues are #358 and #131.

What happened in this case is that our detect-workflow action returned empty strings for the repository and ref which then got fed into the checkout action and it checked out your repository (since the repo on the github context is the default).
@laurentsimon We should probably do something to make this a bit more intuitive. Maybe error out early on pull_request triggers (though we still need to support e2e tests).

@behnazh-w Note also that you want to include the asset name in the digest you send to the workflow so you don't really want to use awk here. I believe the workflow will error out if the name isn't present.

[behnazh-w]

Thanks. I had missed it in the docs that pull_request is not supported. It works fine on the push trigger 👍

[ianlewis]

Thanks. I had missed it in the docs that pull_request is not supported. It works fine on the push trigger 👍

Great to hear. I'll go ahead and close this but feel free to reopen or create a new issue if you find something else!