From e8e6fc8efea9d519cd1bf3622a7bd0ccb818f2d0 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Wed, 2 Aug 2023 17:46:16 +0000
Subject: [PATCH] updates

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 .github/workflows/pr-title.yml       |  2 ++
 verifiers/internal/gha/provenance.go | 17 +++++++++++------
 verifiers/internal/gha/verifier.go   | 14 --------------
 3 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index 0f6c41cab..05c7a663b 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, edited, reopened, synchronize]
 
+permissions: read-all
+
 jobs:
   validate:
     runs-on: ubuntu-latest
diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
index a80f8f51a..a52f16acb 100644
--- a/verifiers/internal/gha/provenance.go
+++ b/verifiers/internal/gha/provenance.go
@@ -285,17 +285,22 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 	return utils.IsValidBuilderTag(parts[1], false)
 }
 
-// BuilderID returns the full builder ID from the provenance.
-func BuilderID(env *dsselib.Envelope, trustedBuilderID *utils.TrustedBuilderID) (string, error){
-	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)
+// builderID returns the trusted builder ID from the provenance.
+// The certTrustedBuilderID input is from the Fulcio certificate.
+func builderID(env *dsselib.Envelope, certTrustedBuilderID *utils.TrustedBuilderID) (*utils.TrustedBuilderID, error) {
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(certTrustedBuilderID.Name(), env)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	id, err := prov.BuilderID()
 	if err != nil {
-		return "", err
+		return nil, err
+	}
+	verifiedBuilderID, err := utils.TrustedBuilderIDNew(id, true)
+	if err != nil {
+		return nil, err
 	}
-	return id, nil
+	return verifiedBuilderID, nil
 }
 
 // VerifyProvenance verifies the provenance for the given DSSE envelope.
diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
index 8c6f08b02..ed59e7834 100644
--- a/verifiers/internal/gha/verifier.go
+++ b/verifiers/internal/gha/verifier.go
@@ -41,20 +41,6 @@ func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool {
 	return strings.HasPrefix(builderID, httpsGithubCom)
 }
 
-// builderID retrieves the builder ID from the provenance via the DSSE envelope.
-func builderID(env *dsse.Envelope, trustedBuilderID *utils.TrustedBuilderID) (*utils.TrustedBuilderID, error) {
-	id, err := BuilderID(env, trustedBuilderID)
-	if err != nil {
-		return nil, err
-	}
-	
-	verifiedBuilderID, err := utils.TrustedBuilderIDNew(id, true)
-	if err != nil {
-		return nil, err
-	}
-	return verifiedBuilderID, nil
-}
-
 func verifyEnvAndCert(env *dsse.Envelope,
 	cert *x509.Certificate,
 	provenanceOpts *options.ProvenanceOpts,