From 05dcf72a423dab4bdce9221d2c98ed4fb4e9f324 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub@stacklok.com>
Date: Tue, 23 Jul 2024 10:51:59 +0200
Subject: [PATCH 1/2] Fix predicate.buildDefinition.buildType in GH attestation
 rule type

The value probably changed once the attestations went from beta to GA.

To see the value in your attestations' call:
```
jq '.dsseEnvelope.payload' < $PATH_TO_ATTESTATION | tr -d \" | base64 -d | jq .predicate
```

Fixes: #128
---
 rule-types/github/artifact_attestation_slsa.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rule-types/github/artifact_attestation_slsa.yaml b/rule-types/github/artifact_attestation_slsa.yaml
index 43b5e1b..24a509b 100644
--- a/rule-types/github/artifact_attestation_slsa.yaml
+++ b/rule-types/github/artifact_attestation_slsa.yaml
@@ -94,7 +94,7 @@ def:
         artifacts_github_provenance = {artifact |
           some artifact in input.ingested
           artifact.Verification.attestation.predicate_type == "https://slsa.dev/provenance/v1"
-          artifact.Verification.attestation.predicate.buildDefinition.buildType == "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1"
+          artifact.Verification.attestation.predicate.buildDefinition.buildType == "https://actions.github.io/buildtypes/workflow/v1"
         }
 
         allow if {

From 297f1c838ce6a50dc67b1df581c006a58f7b2103 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub@stacklok.com>
Date: Tue, 23 Jul 2024 11:13:03 +0200
Subject: [PATCH 2/2] The runDetails.builder.id now points to workflow, let's
 use buildDefinition.internalParameters.github.runner_environment to get the
 runner info

With GH attestations going from beta to GA, we need to use a different
attribute to get to what the runner was.

You can compare:
```
jq '.dsseEnvelope.payload' < $ATTESTATION_FILE | tr -d \" | base64 -d | jq .predicate.buildDefinition
```
with:
```
jq '.dsseEnvelope.payload' < $ATTESTATION_FILE | tr -d \" | base64 -d | jq .predicate.runDetails
```

Fixes: #128
---
 rule-types/github/artifact_attestation_slsa.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rule-types/github/artifact_attestation_slsa.yaml b/rule-types/github/artifact_attestation_slsa.yaml
index 24a509b..b1430d0 100644
--- a/rule-types/github/artifact_attestation_slsa.yaml
+++ b/rule-types/github/artifact_attestation_slsa.yaml
@@ -110,7 +110,7 @@ def:
             artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.path == input.profile.signer_identity
             artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.ref == workflow_ref
             artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.repository == input.profile.workflow_repository
-            artifact.Verification.attestation.predicate.runDetails.builder.id == input.profile.runner_environment
+            artifact.Verification.attestation.predicate.buildDefinition.internalParameters.github.runner_environment == input.profile.runner_environment
 
             some event in input.profile.event
             artifact.Verification.attestation.predicate.buildDefinition.internalParameters.github.event_name == event