slsa-framework · ianlewis · Dec 22, 2022 · Oct 7, 2022 · Dec 7, 2022 · Dec 22, 2022
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.18.5@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 as builder
+FROM golang:1.19.4@sha256:547083b65790caddf19707ac4c350c82fb7a1f52c0e0c520ee7db09695dc5f86 as builder
 
 WORKDIR /app
 COPY . /app

@@ -1,6 +1,6 @@
 module github.com/slsa-framework/slsa-github-generator/.github/actions/detect-workflow
 
-go 1.18
+go 1.19
 
 require github.com/slsa-framework/slsa-github-generator v1.4.0
 

@@ -118,7 +118,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: 1.18
+          go-version: 1.19
           # Note: This must be the non-randomized binary name, so that it can be downloaded from the release assets.
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-builder }}"

@@ -167,7 +167,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: 1.18
+          go-version: 1.19
           # Note: This must be the non-randomized binary name, so that it can be downloaded from the release assets.
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-builder }}"

@@ -119,7 +119,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: 1.18
+          go-version: 1.19
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           # NOTE: We are using the generic generator.

@@ -147,7 +147,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: 1.18
+          go-version: 1.19
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           directory: "${{ env.BUILDER_DIR }}"

@@ -34,7 +34,7 @@ jobs:
       actions: read # For the entry point.
     uses: ./.github/workflows/builder_go_slsa3.yml
     with:
-      go-version: 1.18
+      go-version: 1.19
       config-file: .github/workflows/configs-go/config-ldflags-main-dir.yml
       evaluated-envs: "VERSION:${{needs.args.outputs.version}},COMMIT:${{needs.args.outputs.commit}},BRANCH:${{needs.args.outputs.branch}}"
       compile-builder: true

@@ -13,18 +13,18 @@ jobs:
       - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
       - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
         with:
-          go-version: "1.18"
+          go-version: 1.19
       - env:
-          GOLANGCI_LINT_VERSION: "1.46.2"
-          GOLANGCI_LINT_CHECKSUM: "242cd4f2d6ac0556e315192e8555784d13da5d1874e51304711570769c4f2b9b"
+          GOLANGCI_LINT_VERSION: "1.50.1"
+          GOLANGCI_LINT_CHECKSUM: "4ba1dc9dbdf05b7bdc6f0e04bdfe6f63aa70576f51817be1b2540bbce017b69a"
         run: |
           set -euo pipefail
 
           #Install golangci-lint
           curl -sSLo golangci-lint.tar.gz "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz"
           echo "golangci-lint checksum is $(sha256sum golangci-lint.tar.gz | awk '{ print $1 }')"
           echo "expected checksum is $GOLANGCI_LINT_CHECKSUM"
-          echo "$GOLANGCI_LINT_CHECKSUM golangci-lint.tar.gz" | sha256sum --strict --check --status || exit -2
+          echo "$GOLANGCI_LINT_CHECKSUM  golangci-lint.tar.gz" | sha256sum --strict --check --status || exit -2
           tar xf golangci-lint.tar.gz
           mv golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint /usr/local/bin
 
@@ -37,11 +37,17 @@ jobs:
       - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
       - env:
           SHELLCHECK_VERSION: "0.8.0"
+          SHELLCHECK_CHECKSUM: "ab6ee1b178f014d1b86d1e24da20d1139656c8b0ed34d2867fbb834dad02bf0a"
         run: |
           set -euo pipefail
 
           # Install shellcheck
-          wget -qO- "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | tar -xJf -
+          curl -sSLo shellcheck.tar.gz "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz"
+          echo "shellcheck checksum is $(sha256sum shellcheck.tar.gz | awk '{ print $1 }')"
+          echo "expected checksum is $SHELLCHECK_CHECKSUM"
+          echo "$SHELLCHECK_CHECKSUM  shellcheck.tar.gz" | sha256sum --strict --check --status || exit -2
+
+          tar xf shellcheck.tar.gz
           mv "shellcheck-v$SHELLCHECK_VERSION/shellcheck" /usr/local/bin
 
           # Run shellcheck and output github actions commands.

@@ -24,7 +24,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
         with:
-          go-version: "1.18"
+          go-version: 1.19
 
       - name: unit tests
         run: |

@@ -61,7 +61,7 @@ jobs:
       actions: read # For the entrypoint.
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main
     with:
-      go-version: 1.18
+      go-version: 1.19
       config-file: .github/workflows/configs-generic/config-release.yml
       compile-builder: true
 
@@ -74,6 +74,6 @@ jobs:
       actions: read # For the entrypoint.
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main
     with:
-      go-version: 1.18
+      go-version: 1.19
       config-file: .github/workflows/configs-go/config-release.yml
       compile-builder: true
@@ -68,13 +68,41 @@ func TestNewOIDCClient(t *testing.T) {
 func TestToken(t *testing.T) {
 	now := time.Date(2022, 4, 14, 12, 24, 0, 0, time.UTC)
 
+	errClaimsFunc := func(got error) {
+		want := &errClaims{}
+		if !errors.As(got, &want) {
+			t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors()))
+		}
+	}
+
+	errVerifyFunc := func(got error) {
+		want := &errVerify{}
+		if !errors.As(got, &want) {
+			t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors()))
+		}
+	}
+
+	errTokenFunc := func(got error) {
+		want := &errToken{}
+		if !errors.As(got, &want) {
+			t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors()))
+		}
+	}
+
+	errRequestErrorFunc := func(got error) {
+		want := &errRequestError{}
+		if !errors.As(got, &want) {
+			t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors()))
+		}
+	}
+
 	testCases := []struct {
 		name     string
 		audience []string
 		token    *OIDCToken
 		status   int
 		raw      string
-		err      error
+		err      func(error)
 	}{
 		{
 			name:     "basic token",
@@ -98,7 +126,7 @@ func TestToken(t *testing.T) {
 				RepositoryOwnerID: "4321",
 				ActorID:           "4567",
 			},
-			err: &errClaims{},
+			err: errClaimsFunc,
 		},
 		{
 			name:     "no workflow ref claim",
@@ -110,7 +138,7 @@ func TestToken(t *testing.T) {
 				RepositoryOwnerID: "4321",
 				ActorID:           "4567",
 			},
-			err: &errClaims{},
+			err: errClaimsFunc,
 		},
 		{
 			name:     "no owner id claim",
@@ -122,7 +150,7 @@ func TestToken(t *testing.T) {
 				RepositoryID:   "1234",
 				ActorID:        "4567",
 			},
-			err: &errClaims{},
+			err: errClaimsFunc,
 		},
 		{
 			name:     "no actor id claim",
@@ -134,7 +162,7 @@ func TestToken(t *testing.T) {
 				RepositoryID:      "1234",
 				RepositoryOwnerID: "4321",
 			},
-			err: &errClaims{},
+			err: errClaimsFunc,
 		},
 		{
 			name:     "expired token",
@@ -147,7 +175,7 @@ func TestToken(t *testing.T) {
 				RepositoryOwnerID: "4321",
 				ActorID:           "4567",
 			},
-			err: &errVerify{},
+			err: errVerifyFunc,
 		},
 		{
 			name:     "bad audience",
@@ -160,7 +188,7 @@ func TestToken(t *testing.T) {
 				RepositoryOwnerID: "4321",
 				ActorID:           "4567",
 			},
-			err: &errVerify{},
+			err: errVerifyFunc,
 		},
 		{
 			name:     "bad issuer",
@@ -174,49 +202,49 @@ func TestToken(t *testing.T) {
 				RepositoryOwnerID: "4321",
 				ActorID:           "4567",
 			},
-			err: &errVerify{},
-		},
-		{
-			name:     "invalid response",
-			audience: []string{"hoge"},
-			raw:      `not json`,
-			status:   http.StatusOK,
-			err:      &errToken{},
+			err: errVerifyFunc,
 		},
 		{
 			name:     "invalid parts",
 			audience: []string{"hoge"},
 			raw:      `{"value": "part1"}`,
 			status:   http.StatusOK,
-			err:      &errToken{},
+			err:      errVerifyFunc,
 		},
 		{
 			name:     "invalid base64",
 			audience: []string{"hoge"},
 			raw:      `{"value": "part1.part2.part3"}`,
 			status:   http.StatusOK,
-			err:      &errToken{},
+			err:      errVerifyFunc,
 		},
 		{
-			name:     "invalid json",
+			name:     "invalid json part",
 			audience: []string{"hoge"},
 			raw:      fmt.Sprintf(`{"value": "part1.%s.part3"}`, base64.RawURLEncoding.EncodeToString([]byte("not json"))),
 			status:   http.StatusOK,
-			err:      &errToken{},
+			err:      errVerifyFunc,
+		},
+		{
+			name:     "invalid response",
+			audience: []string{"hoge"},
+			raw:      `not json`,
+			status:   http.StatusOK,
+			err:      errTokenFunc,
 		},
 		{
 			name:     "error response",
 			audience: []string{"hoge"},
 			raw:      "",
 			status:   http.StatusServiceUnavailable,
-			err:      &errRequestError{},
+			err:      errRequestErrorFunc,
 		},
 		{
 			name:     "redirect response",
 			audience: []string{"hoge"},
 			raw:      "",
 			status:   http.StatusFound,
-			err:      &errRequestError{},
+			err:      errRequestErrorFunc,
 		},
 	}
 
@@ -234,15 +262,13 @@ func TestToken(t *testing.T) {
 			token, err := c.Token(context.Background(), tc.audience)
 			if err != nil {
 				if tc.err != nil {
-					if !errors.As(err, &tc.err) {
-						t.Fatalf("unexpected error: %v", cmp.Diff(err, tc.err, cmpopts.EquateErrors()))
-					}
+					tc.err(err)
 				} else {
 					t.Fatalf("unexpected error: %v", cmp.Diff(err, tc.err, cmpopts.EquateErrors()))
 				}
 			} else {
 				if tc.err != nil {
-					t.Fatalf("unexpected error: %v", cmp.Diff(err, tc.err, cmpopts.EquateErrors()))
+					tc.err(err)
 				} else {
 					// Successful response, as expected. Check token.
 					if want, got := tc.token, token; !tokenEqual(s.URL, want, got) {

@@ -1,6 +1,6 @@
 module github.com/slsa-framework/slsa-github-generator
 
-go 1.18
+go 1.19
 
 require (
 	github.com/coreos/go-oidc/v3 v3.4.0