chore: fix nits in Gradle builder (#2645)

Fixes #2643 The following comments are irrelevant and have not been addressed: 1. #2636 (comment) (was already done) 2. #2636 (comment) (the code has been removed) @ianlewis @laurentsimon PTAL Signed-off-by: AdamKorcz <adam@adalogics.com>
slsa-framework · Aug 18, 2023 · 180a89c · 180a89c
1 parent f89a0f4
commit 180a89c
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml
@@ -84,33 +84,35 @@ runs:
         }
         validate_path "${UNTRUSTED_PROJECT_ROOT}"
         # remove trailing "/"'s with `realpath`
-        project_root=$(realpath "${UNTRUSTED_PROJECT_ROOT}")
+        project_root=$(realpath -e "${UNTRUSTED_PROJECT_ROOT}")
+
+        # output the validated project root for later steps
+        echo "validated_project_root=${project_root}" >> "${GITHUB_OUTPUT}"
 
         cd "${project_root}" \
           && ./gradlew build -x test
 
     - name: Put release artifacts in one directory
+      id: collect_release_artifacts
       shell: bash
       env:
         SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
         UNTRUSTED_ARTIFACT_LIST: ${{ fromJson(inputs.slsa-workflow-inputs).artifact-list }}
-        PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+        PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
       run: |
         cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/collect_release_artifacts.sh
     - name: Make outputs
       id: make-outputs
       shell: bash
       env:
         SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
-        PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+        PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
       run: |
         cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/create_attestation.sh
     - name: Move build dir to avoid making it a sub-dir when uploading
       shell: bash
       env:
-        # PROJECT_ROOT is generally untrusted, but the builder has validated
-        # it in the 'Run gradle builder' step and is therefore trusted now.
-        PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+        PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
       run: |
         mv "${PROJECT_ROOT}"/build "${GITHUB_WORKSPACE}"/
     - name: Upload build dir