Fix not found error for attestation build summary URL

[kachick]

When I used the https://github.com/rubygems/release-gem action with .github/workflows/release.yml, it displays the Build summary.

However it links to https://github.com/OWNER/REPO/actions/runs/.github/workflows/release.yml and displays Not Found error.
As far as I know, GitHub provides a list of workflow runs as https://github.com/OWNER/REPO/actions/workflows/release.yml.
Is this just a typo? Or github provides the runs link with several patterns?

---

@segiddins ref: #5330

I'm posting this PR instead of creating an issue, for sharing the related code. I'm okay for this closed anytime. 🙇‍♂️

[segiddins]

Thanks, I will figure this out when I get back to work next week

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.26%. Comparing base (b093b95) to head (8981d71).
Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5365      +/-   ##
==========================================
- Coverage   97.06%   94.26%   -2.80%     
==========================================
  Files         451      451              
  Lines        9391     9451      +60     
==========================================
- Hits         9115     8909     -206     
- Misses        276      542     +266     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ashkulz]

@segiddins any update? Just started using Trusted Publishing and felt that I had a bug at my end due to this 😅

[simi]

Hello @kachick, if I understand it well, links are also swapped.

Link 1 should link to https://github.com/rubygems/gem_server_conformance/actions/workflows/push_gem.yml or maybe better to https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/workflow.

Link 2 should actually link to https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/attempts/1 (which is what Link 1 currently links to).

Does it make sense? Can you update your PR to fix this? I'm happy to review.

[simi]

Also for commit link, what about to use rubygems/gem_server_conformance@416df38 instead of https://github.com/rubygems/gem_server_conformance/tree/416df386388f6bef0c1c5c474f51fb64753a2799? 🤔

[kachick]

Considering the test data and resources, "1.3.6.1.4.1.57264.1.9" or "1.3.6.1.4.1.57264.1.18" might be reasonable for this purpose. However, I can't know the actual response for now. So, using the existing resource here.

rubygems.org/test/factories/x509.rb

Lines 38 to 57 in b093b95

	"1.3.6.1.4.1.57264.1.9" =>
	".Xhttps://github.com/sigstore/sigstore-ruby/.github/workflows/release.yml@refs/tags/v0.1.1",
	"1.3.6.1.4.1.57264.1.10" =>
	".(f106999a2210a9a17b32b172f95518859a85ffed",
	"1.3.6.1.4.1.57264.1.11" =>
	".githubHosted",
	"1.3.6.1.4.1.57264.1.12" =>
	".)https://github.com/sigstore/sigstore-ruby",
	"1.3.6.1.4.1.57264.1.13" =>
	".(f106999a2210a9a17b32b172f95518859a85ffed",
	"1.3.6.1.4.1.57264.1.14" =>
	"..refs/tags/v0.1.1",
	"1.3.6.1.4.1.57264.1.15" =>
	"..766398650",
	"1.3.6.1.4.1.57264.1.16" =>
	"..https://github.com/sigstore",
	"1.3.6.1.4.1.57264.1.17" =>
	"..71096353",
	"1.3.6.1.4.1.57264.1.18" =>
	".Xhttps://github.com/sigstore/sigstore-ruby/.github/workflows/release.yml@refs/tags/v0.1.1",

https://github.com/sigstore/fulcio/blob/86a028b47a5ad67acf78ab30f6a7939fbf3411b0/docs/oid-info.md?plain=1#L124-L166

[kachick]

Actual data from dump

attestation = Rubygem.find_by_name('gem_server_conformance').find_version_by_slug!('0.1.5').attestations.first

extensions = attestation.sigstore_bundle.leaf_certificate.openssl.extensions.to_h do |ext|
  [ext.oid, if (ext.oid =~ /\A1\.3\.6\.1\.4\.1\.57264\.1\.(\d+)\z/) && ::Regexp.last_match(1).to_i >= 8
              OpenSSL::ASN1.decode(ext.value_der).value
            else
              ext.value
            end]
end

extensions.slice("1.3.6.1.4.1.57264.1.9", "1.3.6.1.4.1.57264.1.18", "1.3.6.1.4.1.57264.1.21")

{"1.3.6.1.4.1.57264.1.9" =>
  "https://github.com/rubygems/gem_server_conformance/.github/workflows/push_gem.yml@refs/tags/v0.1.5",
 "1.3.6.1.4.1.57264.1.18" =>
  "https://github.com/rubygems/gem_server_conformance/.github/workflows/push_gem.yml@refs/tags/v0.1.5",
 "1.3.6.1.4.1.57264.1.21" =>
  "https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/attempts/1"}

9 and 18 returned URL will be a not found error in github.

[kachick]

Thanks for your reviewing!
I agree with your suggestions and updated this PR.

I have tried to check the actual behaviors in my local, however, the local environment does not display the Provenance section even though importing sqlbackup. Might it be redacting the attestations?

curl -OL https://s3-us-west-2.amazonaws.com/rubygems-dumps/production/public_postgresql/2025.01.06.21.21.01/public_postgresql.tar
./script/load-pg-dump -H 127.0.0.1 -d rubygems_development /tmp/tmp.sA8Ebb0Aqi/public_postgresql.tar

[simi]

@kachick yes, it is redacted currently. I'll check if we can get some example one into seed simply.

Also rubygems/rubygems.org-db-backups#13 could help in the future.

[kachick]

rubygems/rubygems.org-db-backups#13 (comment)
https://s3-us-west-2.amazonaws.com/rubygems-dumps/production/public_postgresql/2025.01.13.21.21.28/public_postgresql.tar

gem_server_conformance with the latest dump data.

• Build summary: https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/attempts/1
• Source Commit: rubygems/gem_server_conformance@143b1c8
• Build File: https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/workflow

All returned URLs are valid, active and looks reasonable to me.