updates

Signed-off-by: laurentsimon <[email protected]>
slsa-framework · Aug 2, 2023 · 9f0189d · 9f0189d
1 parent ef6480a
commit 9f0189d
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 20 deletions.
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, edited, reopened, synchronize]
 
+permissions: read-all
+
 jobs:
   validate:
     runs-on: ubuntu-latest

diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
@@ -285,17 +285,22 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 	return utils.IsValidBuilderTag(parts[1], false)
 }
 
-// BuilderID returns the full builder ID from the provenance.
-func BuilderID(env *dsselib.Envelope, trustedBuilderID *utils.TrustedBuilderID) (string, error){
-	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)
+// builderID returns the trusted builder ID from the provenance.
+// The certTrustedBuilderID input is from the Fulcio certificate.
+func builderID(env *dsselib.Envelope, certTrustedBuilderID *utils.TrustedBuilderID) (*utils.TrustedBuilderID, error) {
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(certTrustedBuilderID.Name(), env)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	id, err := prov.BuilderID()
 	if err != nil {
-		return "", err
+		return nil, err
+	}
+	verifiedBuilderID, err := utils.TrustedBuilderIDNew(id, true)
+	if err != nil {
+		return nil, err
 	}
-	return id, nil
+	return verifiedBuilderID, nil
 }
 
 // VerifyProvenance verifies the provenance for the given DSSE envelope.

diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
@@ -41,20 +41,6 @@ func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool {
 	return strings.HasPrefix(builderID, httpsGithubCom)
 }
 
-// builderID retrieves the builder ID from the provenance via the DSSE envelope.
-func builderID(env *dsse.Envelope, trustedBuilderID *utils.TrustedBuilderID) (*utils.TrustedBuilderID, error) {
-	id, err := BuilderID(env, trustedBuilderID)
-	if err != nil {
-		return nil, err
-	}
-
-	verifiedBuilderID, err := utils.TrustedBuilderIDNew(id, true)
-	if err != nil {
-		return nil, err
-	}
-	return verifiedBuilderID, nil
-}
-
 func verifyEnvAndCert(env *dsse.Envelope,
 	cert *x509.Certificate,
 	provenanceOpts *options.ProvenanceOpts,