fix: ensure no self-hosted runners for generic generators

.github/actions/detect-workflow-js/__tests__/main.test.ts

@@ -17,6 +17,7 @@ import { create } from "domain";
 const core = require("@actions/core");
 const detect = require("../src/detect");
 const github = require("@actions/github");
+const OctokitRest = require("@octokit/rest");
 
 describe("decodeToken", () => {
   it("return email and job_workflow_ref", () => {
@@ -52,9 +53,8 @@ describe("detectWorkflowFromOIDC", () => {
     core.getIDToken.mockClear();
     core.getIDToken.mockReturnValueOnce(jwt);
 
-    const [repo, ref, workflow] = await detect.detectWorkflowFromOIDC(
-      "some/audience",
-    );
+    const [repo, ref, workflow] =
+      await detect.detectWorkflowFromOIDC("some/audience");
     expect(repo).toBe("octo-org/octo-automation");
     expect(ref).toBe("refs/heads/main");
     expect(workflow).toBe(".github/workflows/oidc.yml");
@@ -72,9 +72,8 @@ describe("detectWorkflowFromOIDC", () => {
     core.getIDToken.mockClear();
     core.getIDToken.mockReturnValueOnce(jwt);
 
-    const [repo, ref, workflow] = await detect.detectWorkflowFromOIDC(
-      "some/audience",
-    );
+    const [repo, ref, workflow] =
+      await detect.detectWorkflowFromOIDC("some/audience");
     expect(repo).toBe("vitejs/vite");
     expect(ref).toBe("refs/tags/[email protected]");
     expect(workflow).toBe(".github/workflows/publish.yml");
@@ -125,6 +124,8 @@ function createOctokitMock() {
         listWorkflowRuns: jest.fn(),
         getWorkflowRun: jest.fn(),
         reRunWorkflow: jest.fn(),
+        listJobsForWorkflowRun: jest.fn(),
+        listSelfHostedRunnersForRepo: jest.fn(),
       },
       pulls: {
         get: jest.fn(),
@@ -264,3 +265,90 @@ describe("detectWorkflowFromContext", () => {
     );
   });
 });
+
+function createOctokitRestMock() {
+  return {
+    ...createOctokitMock(),
+    paginate: jest.fn(),
+  };
+}
+
+jest.mock("@octokit/rest", () => ({ Octokit: jest.fn() }));
+
+describe("ensureOnlyGithubHostedRunners", () => {
+  OctokitRest.Octokit.mockClear();
+  const octokitRest = createOctokitRestMock();
+  OctokitRest.Octokit.mockReturnValue(octokitRest);
+
+  const customRunnerLabel = "cloudtop";
+  const goodListJobsResp = [
+    {
+      id: 399444496,
+      run_id: 29679449,
+      name: "myjob",
+      labels: ["foo", "bar"],
+    },
+  ];
+  const badListJobsResp = [
+    ...goodListJobsResp,
+    {
+      ...goodListJobsResp[0],
+      labels: [customRunnerLabel, "baz"],
+    },
+  ];
+  const listRunnersResp = [
+    {
+      id: 24,
+      name: "my-gh-runner",
+      os: "Linux",
+      status: "online",
+      busy: true,
+      labels: [
+        { id: 1, name: "self-hosted", type: "read-only" },
+        { id: 2, name: "Linux", type: "read-only" },
+        { id: 3, name: "X64", type: "read-only" },
+        { id: 7, name: customRunnerLabel, type: "custom" },
+      ],
+    },
+  ];
+
+  it("no workflow run", async () => {
+    octokitRest.paginate.mockRejectedValue(new Error("any"));
+
+    expect(
+      detect.ensureOnlyGithubHostedRunners("unused", "unused"),
+    ).rejects.toThrow();
+  });
+
+  it("success: no jobs not using self-hosted runner", async () => {
+    octokitRest.paginate.mockImplementation((method: any, args: any) => {
+      switch (method) {
+        case octokitRest.rest.actions.listJobsForWorkflowRun:
+          return Promise.resolve(goodListJobsResp);
+        case octokitRest.rest.actions.listSelfHostedRunnersForRepo:
+          return Promise.resolve(listRunnersResp);
+      }
+    });
+    expect(
+      detect.ensureOnlyGithubHostedRunners("unused", "unused"),
+    ).resolves.toBeUndefined();
+  });
+
+  it("failure: some jobs using self-hosted runner", async () => {
+    octokitRest.paginate.mockImplementation((method: any, args: any) => {
+      switch (method) {
+        case octokitRest.rest.actions.listJobsForWorkflowRun:
+          return Promise.resolve(badListJobsResp);
+        case octokitRest.rest.actions.listSelfHostedRunnersForRepo:
+          return Promise.resolve(listRunnersResp);
+      }
+    });
+    expect(
+      detect.ensureOnlyGithubHostedRunners("unused", "unused"),
+    ).rejects.toThrow(
+      new Error(
+        `Self-hosted runners are not allowed in SLSA Level 3 workflows. labels: ${customRunnerLabel}`,
+      ),
+    );
+  });
+});

.github/actions/detect-workflow-js/__tests__/main_run.test.ts

@@ -0,0 +1,112 @@
+// Copyright 2023 SLSA Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+const core = require("@actions/core");
+const detect = require("../src/detect");
+const main = require("../src/main");
+
+jest.mock("../src/detect");
+jest.mock("@actions/core");
+
+beforeEach(() => {
+  jest.resetModules();
+  core.setFailed.mockClear();
+  core.setOutput.mockClear();
+  detect.ensureOnlyGithubHostedRunners.mockClear();
+  detect.detectWorkflowFromContext.mockClear();
+});
+
+describe("main.run", () => {
+  const [repo, ref, builderWorkflow] = ["slsa-framework/gundam", "123", "xyz"];
+  const genericGeneratorWorkflow =
+    ".github/workflows/generator_generic_slsa3.yml";
+  process.env.GITHUB_REPOSITORY = repo;
+
+  it("run succeeds: workflow is NOT generic generator", async () => {
+    detect.detectWorkflowFromContext.mockReturnValue(
+      Promise.resolve([repo, ref, builderWorkflow]),
+    );
+
+    await main.run();
+
+    expect(detect.detectWorkflowFromContext).toHaveBeenCalled();
+    expect(detect.ensureOnlyGithubHostedRunners).not.toHaveBeenCalled();
+
+    expect(core.setFailed).not.toHaveBeenCalled();
+
+    expect(core.setOutput).toHaveBeenCalledWith("repository", repo);
+    expect(core.setOutput).toHaveBeenCalledWith("ref", ref);
+    expect(core.setOutput).toHaveBeenCalledWith("workflow", builderWorkflow);
+  });
+
+  it("run succeeds: workflow is a generic generator, no self-hosted runners", async () => {
+    detect.detectWorkflowFromContext.mockReturnValue(
+      Promise.resolve([repo, ref, genericGeneratorWorkflow]),
+    );
+    detect.ensureOnlyGithubHostedRunners.mockReturnValue(Promise.resolve(null));
+
+    await main.run();
+
+    expect(detect.detectWorkflowFromContext).toHaveBeenCalled();
+    expect(detect.ensureOnlyGithubHostedRunners).toHaveBeenCalled();
+
+    expect(core.setFailed).not.toHaveBeenCalled();
+
+    expect(core.setOutput).toHaveBeenCalledWith("repository", repo);
+    expect(core.setOutput).toHaveBeenCalledWith("ref", ref);
+    expect(core.setOutput).toHaveBeenCalledWith(
+      "workflow",
+      genericGeneratorWorkflow,
+    );
+  });
+
+  it("run fails: can't get workflow details", async () => {
+    const errMsg = "can't get workflow details";
+    detect.detectWorkflowFromContext.mockRejectedValue(new Error(errMsg));
+    detect.ensureOnlyGithubHostedRunners.mockReturnValue(Promise.resolve(null));
+
+    await main.run();
+
+    expect(detect.detectWorkflowFromContext).toHaveBeenCalled();
+    expect(detect.ensureOnlyGithubHostedRunners).not.toHaveBeenCalled();
+
+    expect(core.setFailed).toHaveBeenCalledWith(errMsg);
+
+    expect(core.setOutput).not.toHaveBeenCalled();
+    expect(core.setOutput).not.toHaveBeenCalled();
+    expect(core.setOutput).not.toHaveBeenCalled();
+  });
+
+  it("run fails: generic workflow, but using self-hosted runner", async () => {
+    const errMsg = "no self-hosted runners allowed";
+    detect.detectWorkflowFromContext.mockReturnValue(
+      Promise.resolve([repo, ref, genericGeneratorWorkflow]),
+    );
+    detect.ensureOnlyGithubHostedRunners.mockRejectedValue(new Error(errMsg));
+
+    await main.run();
+
+    expect(detect.detectWorkflowFromContext).toHaveBeenCalled();
+    expect(detect.ensureOnlyGithubHostedRunners).toHaveBeenCalled();
+
+    expect(core.setFailed).toHaveBeenCalledWith(errMsg);
+
+    expect(core.setOutput).toHaveBeenCalledWith("repository", repo);
+    expect(core.setOutput).toHaveBeenCalledWith("ref", ref);
+    expect(core.setOutput).toHaveBeenCalledWith(
+      "workflow",
+      genericGeneratorWorkflow,
+    );
+  });
+});