[bug] Pinning slsa-github-generator to a commit doesn't work

[sethmlarson]

trafficstars

Describe the bug

When the reusable workflow generator_generic_slsa3.yml is pinned to a commit (as is recommended by Scorecard) it fails with the following message:

Run ./.github/actions/generate-builder/generate-builder.sh
  ./.github/actions/generate-builder/generate-builder.sh
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    BUILDER_BINARY: slsa-generator-generic-linux-amd64
    BUILDER_DIR: internal/builders/generic
    BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
    BUILDER_RELEASE_BINARY: slsa-generator-generic-linux-amd64
    VERIFIER_REPOSITORY: slsa-framework/slsa-verifier
    VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64
    VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21
    VERIFIER_RELEASE: v1.1.1
    COMPILE_BUILDER: false
    BUILDER_REF: bdd89e60dc5387d8f819bebc702987956bcd4913
    GH_TOKEN: ***
Fetching the builder with ref: bdd89e60dc5387d8f819bebc702987956bcd4913
Invalid ref: bdd89e60dc5387d8f819bebc702987956bcd4913. Expected ref of the form refs/tags/vX.Y.Z

See: https://github.com/sethmlarson/python-slsa-release-test/runs/7911558087?check_suite_focus=true

To Reproduce

• Pin slsa-github-generator workflow to a commit.
• Run a release
• See the failure

Expected behavior

Pinning workflow to a commit instead of a tag works as expected.

Additional context

Related and unfortunately in direct contention with: https://github.com/ossf/scorecard/issues/2174

[laurentsimon]

This is by "design" (see https://github.com/slsa-framework/slsa-verifier/issues/12). We want to support it but we need GH support to add branch information within the OIDC token. So this is on our radar. Thanks for the reminder!

Fyi @josepalafox