diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index 057f1cc502..6c0efc2248 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -84,17 +84,21 @@ runs: } validate_path "${UNTRUSTED_PROJECT_ROOT}" # remove trailing "/"'s with `realpath` - project_root=$(realpath "${UNTRUSTED_PROJECT_ROOT}") + project_root=$(realpath -e "${UNTRUSTED_PROJECT_ROOT}") + + # output the validated project root for later steps + echo "validated_project_root=${project_root}" >> "${GITHUB_OUTPUT}" cd "${project_root}" \ && ./gradlew build -x test - name: Put release artifacts in one directory + id: collect_release_artifacts shell: bash env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_ARTIFACT_LIST: ${{ fromJson(inputs.slsa-workflow-inputs).artifact-list }} - PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }} + PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }} run: | cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/collect_release_artifacts.sh - name: Make outputs @@ -102,15 +106,13 @@ runs: shell: bash env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} - PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }} + PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }} run: | cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/create_attestation.sh - name: Move build dir to avoid making it a sub-dir when uploading shell: bash env: - # PROJECT_ROOT is generally untrusted, but the builder has validated - # it in the 'Run gradle builder' step and is therefore trusted now. - PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }} + PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }} run: | mv "${PROJECT_ROOT}"/build "${GITHUB_WORKSPACE}"/ - name: Upload build dir