From 180a89c64d423565407a13e7bef4e933b50e51cc Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 18 Aug 2023 17:56:13 +0100
Subject: [PATCH] chore: fix nits in Gradle builder (#2645)

Fixes
https://github.com/slsa-framework/slsa-github-generator/issues/2643

The following comments are irrelevant and have not been addressed:

1.
https://github.com/slsa-framework/slsa-github-generator/pull/2636#discussion_r1295386279
(was already done)
2.
https://github.com/slsa-framework/slsa-github-generator/pull/2636#discussion_r1295385635
(the code has been removed)

@ianlewis @laurentsimon PTAL

Signed-off-by: AdamKorcz <adam@adalogics.com>
---
 internal/builders/gradle/action.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml
index 057f1cc502..6c0efc2248 100644
--- a/internal/builders/gradle/action.yml
+++ b/internal/builders/gradle/action.yml
@@ -84,17 +84,21 @@ runs:
         }
         validate_path "${UNTRUSTED_PROJECT_ROOT}"
         # remove trailing "/"'s with `realpath`
-        project_root=$(realpath "${UNTRUSTED_PROJECT_ROOT}")
+        project_root=$(realpath -e "${UNTRUSTED_PROJECT_ROOT}")
+
+        # output the validated project root for later steps
+        echo "validated_project_root=${project_root}" >> "${GITHUB_OUTPUT}"
 
         cd "${project_root}" \
           && ./gradlew build -x test
 
     - name: Put release artifacts in one directory
+      id: collect_release_artifacts
       shell: bash
       env:
         SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
         UNTRUSTED_ARTIFACT_LIST: ${{ fromJson(inputs.slsa-workflow-inputs).artifact-list }}
-        PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+        PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
       run: |
         cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/collect_release_artifacts.sh
     - name: Make outputs
@@ -102,15 +106,13 @@ runs:
       shell: bash
       env:
         SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
-        PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+        PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
       run: |
         cd "${PROJECT_ROOT}" && "${GITHUB_WORKSPACE}"/../__TOOL_ACTION_DIR__/create_attestation.sh
     - name: Move build dir to avoid making it a sub-dir when uploading
       shell: bash
       env:
-        # PROJECT_ROOT is generally untrusted, but the builder has validated
-        # it in the 'Run gradle builder' step and is therefore trusted now.
-        PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+        PROJECT_ROOT: ${{ steps.collect_release_artifacts.outputs.validated_project_root }}
       run: |
         mv "${PROJECT_ROOT}"/build "${GITHUB_WORKSPACE}"/
     - name: Upload build dir