new GHA build provenance

Signed-off-by: Brian DeHamer <bdehamer@github.com>

packages/attest/src/oidc.ts

@@ -11,6 +11,7 @@ const REQUIRED_CLAIMS = [
   'sha',
   'repository',
   'event_name',
+  'job_workflow_ref',
   'workflow_ref',
   'repository_id',
   'repository_owner_id',

packages/attest/src/provenance.ts

@@ -3,10 +3,7 @@ import {getIDTokenClaims} from './oidc'
 import type {Attestation, Predicate} from './shared.types'
 
 const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
-
-const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'
-const GITHUB_BUILD_TYPE =
-  'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'
+const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
 
 const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
 
@@ -55,7 +52,8 @@ export const buildSLSAProvenancePredicate = async (
           github: {
             event_name: claims.event_name,
             repository_id: claims.repository_id,
-            repository_owner_id: claims.repository_owner_id
+            repository_owner_id: claims.repository_owner_id,
+            runner_environment: claims.runner_environment
           }
         },
         resolvedDependencies: [
@@ -69,7 +67,7 @@ export const buildSLSAProvenancePredicate = async (
       },
       runDetails: {
         builder: {
-          id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}`
+          id: `${serverURL}/${claims.job_workflow_ref}`
         },
         metadata: {
           invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`