Describe the bug
When the reusable workflow generator_generic_slsa3.yml is pinned to a commit (as is recommended by Scorecard) it fails with the following message:
Run ./.github/actions/generate-builder/generate-builder.sh
./.github/actions/generate-builder/generate-builder.sh
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
BUILDER_BINARY: slsa-generator-generic-linux-amd64
BUILDER_DIR: internal/builders/generic
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
BUILDER_RELEASE_BINARY: slsa-generator-generic-linux-amd64
VERIFIER_REPOSITORY: slsa-framework/slsa-verifier
VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64
VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21
VERIFIER_RELEASE: v1.1.1
COMPILE_BUILDER: false
BUILDER_REF: bdd89e60dc5387d8f819bebc702987956bcd4913
GH_TOKEN: ***
Fetching the builder with ref: bdd89e60dc5387d8f819bebc702987956bcd4913
Invalid ref: bdd89e60dc5387d8f819bebc702987956bcd4913. Expected ref of the form refs/tags/vX.Y.Z
See: https://github.com/sethmlarson/python-slsa-release-test/runs/7911558087?check_suite_focus=true
To Reproduce
- Pin
slsa-github-generator workflow to a commit.
- Run a release
- See the failure
Expected behavior
Pinning workflow to a commit instead of a tag works as expected.
Additional context
Related and unfortunately in direct contention with: ossf/scorecard#2174
Describe the bug
When the reusable workflow
generator_generic_slsa3.ymlis pinned to a commit (as is recommended by Scorecard) it fails with the following message:See: https://github.com/sethmlarson/python-slsa-release-test/runs/7911558087?check_suite_focus=true
To Reproduce
slsa-github-generatorworkflow to a commit.Expected behavior
Pinning workflow to a commit instead of a tag works as expected.
Additional context
Related and unfortunately in direct contention with: ossf/scorecard#2174