feat(aqua): use source tag in SLSA verification (#4836)

For a bit tighter checking. aqua does it too. Closes https://github.com/jdx/mise/discussions/4791 * fdfe33db55/pkg/slsa/exec.go (L69-L79) * fdfe33db55/pkg/installpackage/verify_slsa.go (L41-L44) --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2025-04-12 18:06:10 +03:00 · 2025-04-12 18:06:10 +03:00 · 370214def7
parent 6e0cf195ef
commit 370214def7
2 changed files with 8 additions and 0 deletions
--- a/src/aqua/aqua_registry.rs
+++ b/src/aqua/aqua_registry.rs
@ -136,6 +136,7 @@ pub struct AquaSlsaProvenance {
    pub url: Option<String>,
    pub asset: Option<String>,
    pub source_uri: Option<String>,
+    pub source_tag: Option<String>,
 }

 #[derive(Debug, Deserialize, Clone)]
@ -710,6 +711,9 @@ impl AquaSlsaProvenance {
        if let Some(source_uri) = other.source_uri {
            self.source_uri = Some(source_uri);
        }
+        if let Some(source_tag) = other.source_tag {
+            self.source_tag = Some(source_tag);
+        }
    }
 }

--- a/src/backend/aqua.rs
+++ b/src/backend/aqua.rs
@ -416,6 +416,10 @@ impl AquaBackend {
                    .arg(source_uri)
                    .arg("--provenance-path")
                    .arg(provenance_path);
+                let source_tag = slsa.source_tag.clone().unwrap_or_else(|| v.to_string());
+                if source_tag != "-" {
+                    cmd = cmd.arg("--source-tag").arg(source_tag);
+                }
                cmd = cmd.with_pr(&ctx.pr);
                cmd.execute()?;
            } else {