Handle tags containing "@" character in buildSLSAProvenancePredicate

When using some monorepo-related tools (like [changesets](https://github.com/changesets/changesets)), the produced tags have a special format that includes `@` character. For example, a `foo` package on a monorepo will produce Git tags looking like `foo@1.0.0` if using changesets. When used in combination with `actions/attest-build-provenance`, the action was not properly re-crafting the tag in `buildSLSAProvenancePredicate` because it was always splitting the workflow ref by `@` and taking the second element. This result in this error on CI: ``` Error: Error: Failed to persist attestation: Invalid Argument - values do not match: refs/tags/foo != refs/tags/foo@1.0.0 - https://docs.github.com/rest/repos/repos#create-an-attestation ```` This PR slightly update the logic there, and rather take "everything located after the first '@'". This shouldn't introduce any breaking change, while giving support for custom tags. I've added the corresponding test case, it passes, however I couldn't successfully run the full test suite (neither on `main`). Looking forward for CI outcome. Thanks in advance for the review 🙏.
2026-04-21 06:58:04 +08:00 · 2024-10-30 14:02:29 +01:00
parent 7f5921cddd
commit 717ba9d9a4
3 changed files with 68 additions and 10 deletions
--- a/packages/attest/src/provenance.ts
+++ b/packages/attest/src/provenance.ts
@@ -30,9 +30,11 @@ export const buildSLSAProvenancePredicate = async (
  // Split just the path and ref from the workflow string.
  // owner/repo/.github/workflows/main.yml@main =>
  //   .github/workflows/main.yml, main
-  const [workflowPath, workflowRef] = claims.workflow_ref
+  const [workflowPath, ...workflowRefChunks] = claims.workflow_ref
    .replace(`${claims.repository}/`, '')
    .split('@')
+  // Handle case where tag contains `@` (e.g: when using changesets in a monorepo context),
+  const workflowRef = workflowRefChunks.join('@')

  return {
    type: SLSA_PREDICATE_V1_TYPE,