[bug] slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout fails when using a hash for the action version

[lahabana]

Describe the bug
When using slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.ym@c747fe7769adf3656dc7d588b161cb614d7abfee the run fails with:

Fetching the builder with ref: c747fe7769adf3656dc7d588b161cb614d7abfee
Invalid ref: c747fe7769adf3656dc7d588b161cb614d7abfee. Expected ref of the form refs/tags/vX.Y.Z

c747... matches v1.10.0 and it is good security practice to use git hashes instead of tags to reference external github actions.

Job output for reference:
https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597

To Reproduce
Steps to reproduce the behavior:

1. Create an action like:

  artifact-provenance:
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@c747fe7769adf3656dc7d588b161cb614d7abfee # v1.10.0
    with:
      base64-subjects: ${{ inputs.binary_artifacts_hashes_as_file }}
      upload-assets: ${{ github.ref_type == 'tag' }}
      upload-tag-name: ${{ github.ref_name }}
      provenance-name: ${{ github.event.repository.name }}.intoto.jsonl

2. Run it
3. See the error:

Run slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.10.0
  with:
    repository: slsa-framework/slsa-github-generator
    ref: c747fe7769adf3656dc7d588b161cb614d7abfee
    go-version: 1.[2](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:2)1
    binary: slsa-generator-generic-linux-amd64
    compile-builder: false
    directory: internal/builders/generic
    allow-private-repository: false
    testing: false
    token: ***
  env:
    BUILDER_BINARY: slsa-generator-generic-linux-amd64
    BUILDER_DIR: internal/builders/generic
    SUBJECTS_FILENAME: subjects.sha256sum.base64.2[3](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:3)1b023dad77ada71cb6fb328090d00a
Run slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.10.0
  with:
    repository: slsa-framework/slsa-github-generator
    ref: c7[4](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:4)7fe7769adf3656dc7d588b161cb614d7abfee
    path: __BUILDER_CHECKOUT_DIR__
    token: ***
  env:
    BUILDER_BINARY: slsa-generator-generic-linux-amd64
    BUILDER_DIR: internal/builders/generic
    SUBJECTS_FILENAME: subjects.sha2[5](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:5)6sum.base64.231b023dad77ada71cb[6](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:6)fb328090d00a
Run actions/checkout@b4ffde65f46336ab88eb53be8084[7](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:7)7a3936bae11
  with:
    repository: slsa-framework/slsa-github-generator
    ref: c747fe7769adf3656dc7d5[8](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:8)8b161cb614d7abfee
    token: ***
    path: __BUILDER_CHECKOUT_DIR__
    persist-credentials: false
    fetch-depth: 1
    ssh-strict: true
    clean: true
    sparse-checkout-cone-mode: true
    fetch-tags: false
    show-progress: true
    lfs: false
    submodules: false
    set-safe-directory: true
  env:
    BUILDER_BINARY: slsa-generator-generic-linux-amd64
    BUILDER_DIR: internal/builders/generic
    SUBJECTS_FILENAME: subjects.sha256sum.base64.231b023dad77ada71cb6fb3280[9](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:9)0d00a
Syncing repository: slsa-framework/slsa-github-generator
Getting Git version info
Temporarily overriding HOME='/home/runner/work/_temp/d62883f9-59ac-4b68-99af-dbf6e297f05d' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /home/runner/work/kuma/kuma/__BUILDER_CHECKOUT_DIR__
Initializing the repository
Disabling automatic garbage collection
Setting up auth
Fetching the repository
Determining the checkout info
Checking out the ref
/usr/bin/git log -1 --format='%H'
'c747fe7769adf3656dc7d588b161cb614d7abfee'
Removing auth
Run ./__BUILDER_CHECKOUT_DIR__/.github/actions/privacy-check
Run actions/setup-go@93397bea1[10](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:10)91df50f3d7e59dc26a77[11](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:11)a8bcfbe
Setup go version spec 1.21
Found in cache @ /opt/hostedtoolcache/go/1.21.8/x64
Added go to the path
Successfully set up Go version 1.21
/opt/hostedtoolcache/go/1.21.8/x64/bin/go env GOMODCACHE
/opt/hostedtoolcache/go/1.21.8/x64/bin/go env GOCACHE
/home/runner/go/pkg/mod
/home/runner/.cache/go-build
Warning: Restore cache failed: Dependencies file is not found in /home/runner/work/kuma/kuma. Supported file pattern: go.sum
go version go1.21.8 linux/amd64

go env
Run ./__BUILDER_CHECKOUT_DIR__/.github/actions/generate-builder/generate-builder.sh
  ./__BUILDER_CHECKOUT_DIR__/.github/actions/generate-builder/generate-builder.sh
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    BUILDER_BINARY: slsa-generator-generic-linux-amd64
    BUILDER_DIR: ./__BUILDER_CHECKOUT_DIR__/internal/builders/generic
    SUBJECTS_FILENAME: subjects.sha256sum.base64.231b023dad77ada71cb6fb328090d00a
    BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
    BUILDER_RELEASE_BINARY: slsa-generator-generic-linux-amd64
    VERIFIER_REPOSITORY: slsa-framework/slsa-verifier
    VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64
    VERIFIER_RELEASE_BINARY_SHA256: e81900c9f11a44276e1552afb7c1f6ea7b[13](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:13)ad9c6efdb920d97f23a76659e25f
    VERIFIER_RELEASE: v2.4.1
    COMPILE_BUILDER: false
    BUILDER_REF: c747fe7769adf3656dc7d588b161cb6[14](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:14)d7abfee
    GH_TOKEN: ***
    SLSA_VERIFIER_TESTING: false
Fetching the builder with ref: c747fe7769adf3656dc7d588b161cb614d7abfee
Invalid ref: c747fe7769adf3656dc7d588b[16](https://github.com/kumahq/kuma/actions/runs/8521526542/job/23348470597#step:2:17)1cb614d7abfee. Expected ref of the form refs/tags/vX.Y.Z
Error: Process completed with exit code 2.

Expected behavior
I should be able to do this to keep my actions reference to use hashes instead of tags.
I

[lahabana]

I think the problem comes down to:

This ref is set:

slsa-github-generator/.github/actions/detect-workflow-js/dist/index.js

Lines 116 to 148 in e8c2dcf

	else {
	// Otherwise this is an external repository.
	// Filter referenced_workflows for slsa-github-generator repositories.
	// TODO(https://github.com/actions/runner/issues/2417): When
	// GITHUB_JOB_WORKFLOW_SHA becomes fully functional, the OIDC token
	// detection can be removed and we can identify the current reusable
	// workflow through the sha of a referenced workflow, fully supporting all
	// triggers without the repository filter.
	for (const reusableWorkflow of workflowData.referenced_workflows) {
	const workflowPath = reusableWorkflow.path.split("@", 1);
	const [workflowOwner, workflowRepo, ...workflowArray] = workflowPath[0].split("/");
	if (workflowRepo === "slsa-github-generator") {
	if (!reusableWorkflow.ref) {
	return Promise.reject(Error("Referenced slsa-github-generator workflow missing ref: was the workflow invoked by digest?"));
	}
	const tmpRepository = [workflowOwner, workflowRepo].join("/");
	const tmpRef = reusableWorkflow.ref;
	const tmpWorkflow = workflowArray.join("/");
	// If there are multiple invocations of reusable workflows in
	// a single caller workflow, ensure that the repositories and refs are
	// the same.
	if (repository !== "" && repository !== tmpRepository) {
	return Promise.reject(Error("Unexpected mismatch of repositories"));
	}
	if (ref !== "" && ref !== tmpRef) {
	return Promise.reject(Error("Unexpected mismatch of reference"));
	}
	repository = tmpRepository;
	ref = tmpRef;
	workflow = tmpWorkflow;
	}
	}
	}

slsa-github-generator/.github/actions/detect-workflow-js/dist/index.js

Line 270 in e8c2dcf

core.setOutput("ref", ref);

But it's used as is. Not reversed back to a tag if there's one.

We then use this as ref:

slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

Line 162 in e8c2dcf

ref: "${{ needs.detect-env.outputs.ref }}"

slsa-github-generator/.github/actions/generate-builder/builder-fetch.sh

Lines 28 to 36 in e8c2dcf

	PREFIX="refs/tags/"
	# Extract version.
	if [[ "$BUILDER_REF" != "$PREFIX"* ]]; then
	echo "Invalid ref: $BUILDER_REF. Expected ref of the form refs/tags/vX.Y.Z"
	exit 2
	fi
	builder_tag="${BUILDER_REF#"$PREFIX"}"

[ramonpetgrave64]

Thanks for reporting this. It also doesn't work for me to reference the workflow by hash
https://github.com/ramonpetgrave/my-example-gradle-project/actions/runs/8528869597/job/23363478332?pr=8

I think as a fix maybe we can merge these two outer if-blocks with an elif

slsa-github-generator/.github/actions/generate-builder/builder-fetch.sh

Lines 30 to 63 in e8c2dcf

	# Extract version.
	if [[ "$BUILDER_REF" != "$PREFIX"* ]]; then
	echo "Invalid ref: $BUILDER_REF. Expected ref of the form refs/tags/vX.Y.Z"
	exit 2
	fi
	builder_tag="${BUILDER_REF#"$PREFIX"}"
	if [[ "$builder_tag" == "$(echo -n "$builder_tag" | grep -P '^[a-f\d]{40}$')" ]]; then
	echo "Builder referenced by hash: $builder_tag"
	echo "Resolving..."
	release_tag=""
	# List the releases and find the corresponding hash.
	release_list=$(gh release -R "$BUILDER_REPOSITORY" -L 50 list)
	while read -r line; do
	tag=$(echo "$line" | cut -f1)
	branch=$(gh release -R "$BUILDER_REPOSITORY" view "$tag" --json targetCommitish --jq '.targetCommitish')
	if [[ "$branch" != "main" ]]; then
	continue
	fi
	commit=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$tag" | jq -r '.object.sha')
	if [[ "$commit" == "$builder_tag" ]]; then
	release_tag="$tag"
	echo "Found tag $builder_tag match at tag $tag and commit $commit"
	break
	fi
	done <<<"$release_list"
	if [[ -z "$release_tag" ]]; then
	echo "Tag not found for $builder_tag"
	exit 3
	fi

[lahabana]

xref:

• Feature: only accept reusable workflow pinned by version slsa-verifier#12

[ramonpetgrave64]

Thanks for finding that. Since we've learned that this is intentional. I'll close this issue for now since we're still keeping the other open

slsa-framework/slsa-verifier#12