feat: Print byob builder (#677)

closes #672

---------

Signed-off-by: laurentsimon <[email protected]>

.github/workflows/pr-title.yml

@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, edited, reopened, synchronize]
 
+permissions: read-all
+
 jobs:
   validate:
     runs-on: ubuntu-latest

verifiers/internal/gha/provenance.go

@@ -285,6 +285,24 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 	return utils.IsValidBuilderTag(parts[1], false)
 }
 
+// builderID returns the trusted builder ID from the provenance.
+// The certTrustedBuilderID input is from the Fulcio certificate.
+func builderID(env *dsselib.Envelope, certTrustedBuilderID *utils.TrustedBuilderID) (*utils.TrustedBuilderID, error) {
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(certTrustedBuilderID.Name(), env)
+	if err != nil {
+		return nil, err
+	}
+	id, err := prov.BuilderID()
+	if err != nil {
+		return nil, err
+	}
+	verifiedBuilderID, err := utils.TrustedBuilderIDNew(id, true)
+	if err != nil {
+		return nil, err
+	}
+	return verifiedBuilderID, nil
+}
+
 // VerifyProvenance verifies the provenance for the given DSSE envelope.
 func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool) error {
 	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)

verifiers/internal/gha/verifier.go

@@ -83,9 +83,18 @@ func verifyEnvAndCert(env *dsse.Envelope,
 		return nil, nil, err
 	}
 
+	if byob {
+		// Overwrite the builderID to match the one in the provenance.
+		verifiedBuilderID, err = builderID(env, verifiedBuilderID)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
 	fmt.Fprintf(os.Stderr, "Verified build using builder %q at commit %s\n",
-		workflowInfo.SubjectWorkflow.String(),
+		verifiedBuilderID.String(),
 		workflowInfo.SourceSha1)
+
 	// Return verified provenance.
 	r, err := base64.StdEncoding.DecodeString(env.Payload)
 	if err != nil {