Skip to content

[bug] builder-fetch.sh breaks when using action @sha instead of @tag #4216

New issue
New issue
Open
Open
[bug] builder-fetch.sh breaks when using action @sha instead of @tag#4216
Labels
status:triageIssue that has not been triagedtype:bugSomething isn't working
@auyer

Description

@auyer
auyer
opened on Apr 11, 2025

Describe the bug

When using this action based on a git sha instead of tag (as recommended by the ossf scorecard guidelines), this action fails with slsa-generator-generic-linux-amd64: No such file or directory

I found that this is caused by this builer-fetch.sh script :

slsa-github-generator/.github/actions/generate-builder/builder-fetch.sh

Line 32 in 0617b3a

echo "Invalid ref: $BUILDER_REF. Expected ref of the form refs/tags/vX.Y.Z"

To Reproduce
Steps to reproduce the behavior:

  1. Create an action using the SHA: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0

Expected behavior

Using the sha that represents a tag should wield the same result.

Is this failure intended ?
Thnaks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:triageIssue that has not been triagedtype:bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions