[bug] Fix pre-submit

[laurentsimon]

See #3312

The secure-upload-folder Action is broken and always runs at main instead of using the PR code.

I think we can solve this by doing:

1. Checkout with PR ref into /tmp/folder
2. Run the Action as a local action as run: ./tmp/folder

/cc @ramonpetgrave64

[ramonpetgrave64]

This could get tricky to plan the arguments to actions/checkout in the various scenarios, particularly (1) and (3). For (1) we cannot just use all default because it would try to clone the user's repo other/other repo, not the slsa-framework/slsa-github-generator repo.

I guess it could work like this, to only use default for the repository argument when it detects it's a PR to slsa-framework/slsa-github-generator

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
   with:
     repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.repo.full_name=='slsa-framework/slsa-github-generator' && '' ||  'slsa-framework/slsa-github-generator' }}

1. PR or Workflow in other/other
   Owner: slsa-framework
   Repo: slsa-github-generator
   Ref: default

2. PR or Workflow in slsa-framework/other
   owner: default
   Repo: slsa-github-generator
   Ref: default

3. PR or Workflow in slsa-framework/slsa-github-generator:
   Owner: default
   Repo: default
   Ref: default

4. PR or Workflow in other/slsa-github-generator
   Owner: other
   Repo: default
   Ref: default

[ianlewis]

To be fair, this is the case for all of our actions and workflows when run in pre-submits. We've generally solved this with scheduled e2e tests.

[ianlewis]

To be fair, this is the case for all of our actions and workflows when run in pre-submits. We've generally solved this with scheduled e2e tests.

Another way to solve this is to have a test that calls the wrapped action directly. This doesn't ensure that everything works for the action end to end but I can ensure that the changed code is executed at least.