From c3ae3e352c3654a2b482aeedf02a58b9ca8d9b6c Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 10:28:38 -0700
Subject: [PATCH] feat: Keep ref in sync for Maven Actions (#2510)

closes
https://github.com/slsa-framework/slsa-github-generator/issues/2508

We need to keep in sync the checkout of the slsa-github-generator repo

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 .../workflows/scripts/pre-release/references.sh  | 14 ++++++++++++++
 .../scripts/pre-submit.actions/references.sh     | 16 +++++++++++++++-
 RELEASE.md                                       |  3 +++
 actions/maven/publish/action.yml                 |  2 +-
 internal/builders/maven/action.yml               |  2 +-
 5 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scripts/pre-release/references.sh b/.github/workflows/scripts/pre-release/references.sh
index aabe3ae6b8..88d58809f0 100755
--- a/.github/workflows/scripts/pre-release/references.sh
+++ b/.github/workflows/scripts/pre-release/references.sh
@@ -22,6 +22,7 @@ set -euo pipefail
 
 # Verify the tag has semver format.
 cd __EXAMPLE_PACKAGE__
+
 # shellcheck source=/dev/null
 source "./.github/workflows/scripts/e2e-utils.sh"
 major=$(version_major "$RELEASE_TAG")
@@ -81,6 +82,19 @@ if [[ "$results" != "" ]]; then
     exit 1
 fi
 
+# Verify the Maven Actions use the correct builder ref.
+results=$(
+    find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f -print0 |
+        xargs -0 grep -Pn "ref:(\s*(?!$RELEASE_TAG)[^\s]+)" ||
+        true
+)
+if [[ "$results" != "" ]]; then
+    echo "Some Maven Actions are referencing the builder at the incorrect tag \"$RELEASE_TAG\""
+    echo "$results"
+    exit 1
+fi
+
+
 if [[ "$RELEASE_TAG" =~ .*-rc\.[0-9]*$ ]]; then
     # don't check documentation for release candidates
     exit 0
diff --git a/.github/workflows/scripts/pre-submit.actions/references.sh b/.github/workflows/scripts/pre-submit.actions/references.sh
index 9f746c32d6..b4347b7a5e 100755
--- a/.github/workflows/scripts/pre-submit.actions/references.sh
+++ b/.github/workflows/scripts/pre-submit.actions/references.sh
@@ -36,7 +36,7 @@ fi
 
 # Verify our Actions are referenced at main in internal actions.
 results=$(
-    find .github/actions/ -maxdepth 2 -name '*.yaml' -o -name '*.yml' -type f -print0 \
+    find .github/actions/ -maxdepth 2 -name '*.yaml' -o -name '*.yml' -type f -print0 |
         xargs -0 grep -P "slsa-framework/slsa-github-generator/.*@(?!main)" ||
         true
 )
@@ -57,3 +57,17 @@ if [[ "$results" != "" ]]; then
     echo "$results"
     exit 1
 fi
+
+# Verify the Maven Actions use the correct builder ref.
+results=$(
+    find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f -print0 |
+        xargs -0 grep -Pn "ref:(\s*(?!main)[^\s]+)" ||
+        true
+)
+if [[ "$results" != "" ]]; then
+    echo "Some Maven Actions are not referencing the builder at main"
+    echo "$results"
+    exit 1
+fi
+
+
diff --git a/RELEASE.md b/RELEASE.md
index c7688a0829..2a007aebe2 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -475,6 +475,7 @@ Update version references with the following command:
 
 ```shell
 find .github/workflows/ .github/actions/ actions/ -name '*.yaml' -o -name '*.yml' | xargs sed -i "s/uses: slsa-framework\/slsa-github-generator\/\(.*\)@\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/uses: slsa-framework\/slsa-github-generator\/\1@$BUILDER_TAG/"
+find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/\(ref:[ ]*\)main/\1$BUILDER_TAG/"
 ```
 
 Likewise, update documentation with the following command:
@@ -504,6 +505,8 @@ Send a PR to reference the Actions at `@main`. You can use:
 
 ```shell
 find .github/workflows/ .github/actions/ actions/ -name '*.yaml' -o -name '*.yml' | xargs sed -i "s/uses: slsa-framework\/slsa-github-generator\/\(.*\)@${BUILDER_TAG}/uses: slsa-framework\/slsa-github-generator\/\1@main/"
+find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/\(ref:[ ]*\)$BUILDER_TAG/\1main/"
+
 ```
 
 ### Update verifier
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index 529be1bad3..f4b071cd7b 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -76,7 +76,7 @@ runs:
       uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
       with:
         repository: slsa-framework/slsa-github-generator
-        ref: v1.8.0
+        ref: main
         path: __BUILDER_CHECKOUT_DIR__
 
     - name: Publish to the Maven Central Repository
diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml
index 7aee36c2ed..70b814ebc4 100644
--- a/internal/builders/maven/action.yml
+++ b/internal/builders/maven/action.yml
@@ -62,7 +62,7 @@ runs:
       uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
       with:
         repository: slsa-framework/slsa-github-generator
-        ref: v1.8.0
+        ref: main
         path: __BUILDER_CHECKOUT_DIR__
     - name: Run mvn package
       shell: bash