The runDetails.builder.id now points to workflow, let's use buildDefi…

…nition.internalParameters.github.runner_environment to get the runner info With GH attestations going from beta to GA, we need to use a different attribute to get to what the runner was. You can compare: ``` jq '.dsseEnvelope.payload' < $ATTESTATION_FILE | tr -d \" | base64 -d | jq .predicate.buildDefinition ``` with: ``` jq '.dsseEnvelope.payload' < $ATTESTATION_FILE | tr -d \" | base64 -d | jq .predicate.runDetails ``` Fixes: #128
mindersec · Jul 23, 2024 · 297f1c8 · 297f1c8
1 parent 05dcf72
commit 297f1c8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rule-types/github/artifact_attestation_slsa.yaml b/rule-types/github/artifact_attestation_slsa.yaml
@@ -110,7 +110,7 @@ def:
             artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.path == input.profile.signer_identity
             artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.ref == workflow_ref
             artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.repository == input.profile.workflow_repository
-            artifact.Verification.attestation.predicate.runDetails.builder.id == input.profile.runner_environment
+            artifact.Verification.attestation.predicate.buildDefinition.internalParameters.github.runner_environment == input.profile.runner_environment
 
             some event in input.profile.event
             artifact.Verification.attestation.predicate.buildDefinition.internalParameters.github.event_name == event