From a702bf7bd2cdfbcf6c44917c0ae0d4b86032ea43 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Thu, 8 Aug 2024 18:53:31 +0000
Subject: [PATCH] allow slsa-framework/slsa-github-generator provenances from
 other branches in testing mode

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 verifiers/internal/gha/provenance.go      |  7 +++++++
 verifiers/internal/gha/provenance_test.go | 12 ++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
index ff3d47f..4a5cae2 100644
--- a/verifiers/internal/gha/provenance.go
+++ b/verifiers/internal/gha/provenance.go
@@ -330,6 +330,13 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 		}
 	}
 
+	// Exception for slsa-framework/slsa-github-generator branches during testing mode
+	// to allow provenance from non-main to be verified, such as during development.
+	normalizedSLSAGithubGeneratorRepoURI := utils.NormalizeGitURI(httpsGithubCom + trustedBuilderRepository)
+	if options.TestingEnabled() && normalizedURI == utils.NormalizeGitURI(normalizedSLSAGithubGeneratorRepoURI) {
+		return nil
+	}
+
 	return utils.IsValidBuilderTag(builderRef, false)
 }
 
diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go
index 878dcd0..e7fe465 100644
--- a/verifiers/internal/gha/provenance_test.go
+++ b/verifiers/internal/gha/provenance_test.go
@@ -471,6 +471,18 @@ func Test_isValidDelegatorBuilderID(t *testing.T) {
 			builderID:      "some/builderID@refs/heads/main",
 			testingEnabled: true,
 		},
+		{
+			name: "invalid builder: ref slsa-github-generator repo: testing enabled",
+			sourceURI: gitPrefix + httpsGithubCom + "slsa-framework/slsa-github-generator",
+			builderID: "some/builderID@refs/heads/anybranch",
+			testingEnabled: true,
+		},
+		{
+			name: "invalid builder: ref slsa-github-generator repo: testing disabled",
+			sourceURI: gitPrefix + httpsGithubCom + "slsa-framework/slsa-github-generator",
+			builderID: "some/builderID@refs/heads/anybranch",
+			err: serrors.ErrorInvalidRef,
+		},
 		{
 			name:      "invalid builder ref e2e repo",
 			sourceURI: gitPrefix + httpsGithubCom + e2eTestRepository,