From b09731887a87a8df2a68da9a874464e29684d4b8 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Date: Fri, 16 Feb 2024 10:17:31 -0500
Subject: [PATCH] fix: gradle builds (#3250)

Fixes the Gradle builds
https://github.com/slsa-framework/slsa-github-generator/issues/2727

I think the first attempt to fix (now reverted) was mostly correct, but
in this PR I correct the directory comparison conditional.

- https://github.com/slsa-framework/slsa-github-generator/pull/3083
- https://github.com/slsa-framework/slsa-github-generator/pull/3089

Also adds some documentation for handling multi-project builds, which
seem to now be the default when initializing a new Gradle app.
-
https://docs.gradle.org/current/samples/sample_building_java_applications.html#review_the_project_files

## Testing

Tested against my own sample project
*
https://github.com/ramonpetgrave64/my-example-gradle-project/pull/1/files/af3b52a88d6bf053d04f3456a8bb78f6d32c4061
*
https://github.com/ramonpetgrave64/my-example-gradle-project/actions/runs/7850051301

Modified the `slsa-framwork/example-package` e2e tests against my own
fork. The actual builds and provenance generation succeed, except for
the verify stage, which should fail because my fork
`https://github.com/ramonpetgrave64/slsa-github-generator/.github/workflows/builder_gradle_slsa3.yml@refs/heads/main`
is not a "trusted builder".

*
https://github.com/slsa-framework/slsa-github-generator/commit/ebffcc9a1c1d97101982ffbfa5488dcc32c5643f
*
https://github.com/slsa-framework/slsa-github-generator/compare/main...ramonpetgrave64:slsa-github-generator:67a2f7b7efb421e55c3a787161d5968681f3db15
*
https://github.com/ramonpetgrave64/example-package/actions/runs/7850413736/job/21425770965

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
---
 actions/gradle/publish/README.md    |  4 ++++
 internal/builders/gradle/README.md  | 33 ++++++++++++++++++++++++++++-
 internal/builders/gradle/action.yml |  3 ++-
 internal/builders/maven/action.yml  |  3 ++-
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/actions/gradle/publish/README.md b/actions/gradle/publish/README.md
index 4afd13c49e..7afc9c6b7d 100644
--- a/actions/gradle/publish/README.md
+++ b/actions/gradle/publish/README.md
@@ -280,3 +280,7 @@ Closing the staging repository:
 Releasing:
 
 ![releasing the Gradle artefacts](/actions/gradle/publish/images/gradle-publisher-release-closed-repository.png)
+
+### Multi-Project Builds
+
+See the same guidance in the [build docs](../../../internal/builders/gradle/README.md#multi-project-builds) for consolidating files from multi-project builds.
diff --git a/internal/builders/gradle/README.md b/internal/builders/gradle/README.md
index 7dc47837d6..f2160597b9 100644
--- a/internal/builders/gradle/README.md
+++ b/internal/builders/gradle/README.md
@@ -19,6 +19,7 @@ workflow the "Gradle builder" from now on.
 - [Limitations](#limitations)
 - [Generating Provenance](#generating-provenance)
   - [Getting Started](#getting-started)
+    - [Multi-Project Builds](#multi-project-builds)
   - [Private Repositories](#private-repositories)
 - [Verification](#verification)
 
@@ -53,6 +54,7 @@ The Gradle builder currently has the following limitations:
 
 1. The project must be buildable by way of `./gradlew build`. If you need the option for flags, profiles or something else to define more granular builds, please open an issue.
 2. The project must include a gradle wrapper (`gradlew`). The Gradle builder does not include an installation of gradle.
+3. The project's build scripts must place the artifacts into `./build`, relative to the `directory` workflow input. If you are doing [multi-project builds](https://docs.gradle.org/current/userguide/intro_multi_project_builds.html), you may need to follow the [example below](#multi-project-builds)
 
 ## Generating Provenance
 
@@ -83,13 +85,42 @@ jobs:
       actions: read
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_gradle_slsa3.yml@v1.9.0
     with:
-      artifact-list: ./artifact1.jar,./artifact2.jar
+      artifact-list: >-
+        ./build/artifact1.jar,
+        ./build/artifact2.jar
 ```
 
 Now, when you invoke this workflow, the Gradle builder will build both your artifacts and the provenance files for them.
 
 The Gradle builder requires you to specify the artifacts that you wish to attest to. To do so, you add a comma-separated list of paths to the artifacts as shown in the example. The paths are relative from the root of your project directory.
 
+#### Multi-Project Builds
+
+If you are using [multi-project builds](https://docs.gradle.org/current/userguide/intro_multi_project_builds.html), where each of your sub-projects' `src` are in separate subfolders, then you will need to add a task to copy over the artifact files to the root `./build` folder.
+
+See this example to add to your sub-projects' `build.gradle.kts` file.
+
+```kotlin
+tasks.register<Copy>("copySubProjectBuild") {
+    from(layout.buildDirectory)
+    into("${rootProject.projectDir}/build/${project.name}")
+}
+
+tasks.named("build") {
+    finalizedBy("copySubProjectBuild")
+}
+```
+
+This, for example, will move `./app1/build/` and `./app2/build/` to `./build/app1/` and `./build/app2/`. You must then alter your input to `artifact-list`.
+
+```yaml
+...
+      artifact-list: >-
+        ./build/app1/libs/app.jar,
+        ./build/app2/libs/app.jar,
+...
+```
+
 ### Private Repositories
 
 The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder:
diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml
index 1d7c29a31d..7c2d693cee 100644
--- a/internal/builders/gradle/action.yml
+++ b/internal/builders/gradle/action.yml
@@ -124,7 +124,8 @@ runs:
       env:
         PROJECT_ROOT: ${{ steps.run_gradle_builder.outputs.validated_project_root }}
       run: |
-        mv "${PROJECT_ROOT}"/build "${GITHUB_WORKSPACE}"/
+        # Ensure that directories are not the same before moving them, preventing an error when running action from the root of the repository.
+        [[ "${PROJECT_ROOT}" -ef "${GITHUB_WORKSPACE}" ]] || mv "${PROJECT_ROOT}"/build "${GITHUB_WORKSPACE}"/
     - name: Upload build dir
       id: upload-build-dir
       uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main
diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml
index bc3ad649ed..4fd7a113f6 100644
--- a/internal/builders/maven/action.yml
+++ b/internal/builders/maven/action.yml
@@ -105,7 +105,8 @@ runs:
           && mvn package  -Drun.hash.jarfile=true
         # NOTE: SLSA_OUTPUTS_ARTIFACTS_FILE is a relative path and the project_root may
         # not be in GITHUB_WORKSPACE, so we need to move the file.
-        mv $(dirname "${SLSA_OUTPUTS_ARTIFACTS_FILE}") "${GITHUB_WORKSPACE}/../"
+        # The following checks if the directories are different before executing the command, fixing an error when SLSA is generated from the root of a repository.
+        [[ $(dirname "${SLSA_OUTPUTS_ARTIFACTS_FILE}") -ef "${GITHUB_WORKSPACE}/../" ]] || mv $(dirname "${SLSA_OUTPUTS_ARTIFACTS_FILE}") "${GITHUB_WORKSPACE}/../"
         mv target "${GITHUB_WORKSPACE}/"
 
     # rng generates a random number to avoid name collision in artifacts