From 73100a7f859ab147f86b4e5ce745dca68742fa44 Mon Sep 17 00:00:00 2001
From: Brian DeHamer <bdehamer@github.com>
Date: Wed, 5 Jun 2024 14:36:23 -0700
Subject: [PATCH] new GHA build provenance

Signed-off-by: Brian DeHamer <bdehamer@github.com>
---
 packages/attest/RELEASES.md                            |  1 +
 .../__tests__/__snapshots__/provenance.test.ts.snap    |  5 +++--
 packages/attest/__tests__/oidc.test.ts                 |  3 ++-
 packages/attest/__tests__/provenance.test.ts           |  1 +
 packages/attest/src/oidc.ts                            |  1 +
 packages/attest/src/provenance.ts                      | 10 ++++------
 6 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/packages/attest/RELEASES.md b/packages/attest/RELEASES.md
index 835a0f5cb3..2988d76853 100644
--- a/packages/attest/RELEASES.md
+++ b/packages/attest/RELEASES.md
@@ -3,6 +3,7 @@
 ### 1.3.0
 
 - Dynamic construction of Sigstore API URLs
+- Switch to new GH provenance build type
 - Bump @sigstore/bundle from 2.3.0 to 2.3.2
 - Bump @sigstore/sign from 2.3.0 to 2.3.2
 
diff --git a/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap b/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap
index 2aed4a168e..39a57c226b 100644
--- a/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap
+++ b/packages/attest/__tests__/__snapshots__/provenance.test.ts.snap
@@ -4,7 +4,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
 {
   "params": {
     "buildDefinition": {
-      "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+      "buildType": "https://actions.github.io/buildtypes/workflow/v1",
       "externalParameters": {
         "workflow": {
           "path": ".github/workflows/main.yml",
@@ -17,6 +17,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
           "event_name": "push",
           "repository_id": "repo-id",
           "repository_owner_id": "owner-id",
+          "runner_environment": "github-hosted",
         },
       },
       "resolvedDependencies": [
@@ -30,7 +31,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
     },
     "runDetails": {
       "builder": {
-        "id": "https://github.com/actions/runner/github-hosted",
+        "id": "https://github.com/owner/workflows/.github/workflows/publish.yml@main",
       },
       "metadata": {
         "invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
diff --git a/packages/attest/__tests__/oidc.test.ts b/packages/attest/__tests__/oidc.test.ts
index 5a6a665f84..ec02ae2924 100644
--- a/packages/attest/__tests__/oidc.test.ts
+++ b/packages/attest/__tests__/oidc.test.ts
@@ -45,7 +45,8 @@ describe('getIDTokenClaims', () => {
       sha: 'sha',
       repository: 'repo',
       event_name: 'push',
-      workflow_ref: 'main',
+      job_workflow_ref: 'job_workflow_ref',
+      workflow_ref: 'workflow',
       repository_id: '1',
       repository_owner_id: '1',
       runner_environment: 'github-hosted',
diff --git a/packages/attest/__tests__/provenance.test.ts b/packages/attest/__tests__/provenance.test.ts
index f4ac707e38..3d61fff9a4 100644
--- a/packages/attest/__tests__/provenance.test.ts
+++ b/packages/attest/__tests__/provenance.test.ts
@@ -23,6 +23,7 @@ describe('provenance functions', () => {
     repository: 'owner/repo',
     ref: 'refs/heads/main',
     sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+    job_workflow_ref: 'owner/workflows/.github/workflows/publish.yml@main',
     workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
     event_name: 'push',
     repository_id: 'repo-id',
diff --git a/packages/attest/src/oidc.ts b/packages/attest/src/oidc.ts
index 51ebad4202..7e3eab6dec 100644
--- a/packages/attest/src/oidc.ts
+++ b/packages/attest/src/oidc.ts
@@ -11,6 +11,7 @@ const REQUIRED_CLAIMS = [
   'sha',
   'repository',
   'event_name',
+  'job_workflow_ref',
   'workflow_ref',
   'repository_id',
   'repository_owner_id',
diff --git a/packages/attest/src/provenance.ts b/packages/attest/src/provenance.ts
index 29d7c92a56..0ef89e01cc 100644
--- a/packages/attest/src/provenance.ts
+++ b/packages/attest/src/provenance.ts
@@ -3,10 +3,7 @@ import {getIDTokenClaims} from './oidc'
 import type {Attestation, Predicate} from './shared.types'
 
 const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
-
-const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'
-const GITHUB_BUILD_TYPE =
-  'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'
+const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
 
 const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
 
@@ -55,7 +52,8 @@ export const buildSLSAProvenancePredicate = async (
           github: {
             event_name: claims.event_name,
             repository_id: claims.repository_id,
-            repository_owner_id: claims.repository_owner_id
+            repository_owner_id: claims.repository_owner_id,
+            runner_environment: claims.runner_environment
           }
         },
         resolvedDependencies: [
@@ -69,7 +67,7 @@ export const buildSLSAProvenancePredicate = async (
       },
       runDetails: {
         builder: {
-          id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}`
+          id: `${serverURL}/${claims.job_workflow_ref}`
         },
         metadata: {
           invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`