1 files changed, 10 insertions, 9 deletions

diff --git a/deps/npm/node_modules/libnpmpublish/lib/provenance.js b/deps/npm/node_modules/libnpmpublish/lib/provenance.js
index d11d210478..1eb870da5f 100644
--- a/deps/npm/node_modules/libnpmpublish/lib/provenance.js
+++ b/deps/npm/node_modules/libnpmpublish/lib/provenance.js
@@ -4,39 +4,40 @@ const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
 const INTOTO_STATEMENT_TYPE = 'https://in-toto.io/Statement/v0.1'
 const SLSA_PREDICATE_TYPE = 'https://slsa.dev/provenance/v0.2'
 
-const BUILDER_ID_PREFIX = 'https://github.com/npm/cli'
+const BUILDER_ID = 'https://github.com/actions/runner'
 const BUILD_TYPE_PREFIX = 'https://github.com/npm/cli/gha'
-const BUILD_TYPE_VERSION = 'v1'
+const BUILD_TYPE_VERSION = 'v2'
 
 const generateProvenance = async (subject, opts) => {
   const { env } = process
+  /* istanbul ignore next - not covering missing env var case */
+  const [workflowPath] = (env.GITHUB_WORKFLOW_REF || '')
+    .replace(env.GITHUB_REPOSITORY + '/', '')
+    .split('@')
   const payload = {
     _type: INTOTO_STATEMENT_TYPE,
     subject,
     predicateType: SLSA_PREDICATE_TYPE,
     predicate: {
-      buildType: `${BUILD_TYPE_PREFIX}@${BUILD_TYPE_VERSION}`,
-      builder: { id: `${BUILDER_ID_PREFIX}@${opts.npmVersion}` },
+      buildType: `${BUILD_TYPE_PREFIX}/${BUILD_TYPE_VERSION}`,
+      builder: { id: BUILDER_ID },
       invocation: {
         configSource: {
           uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
           digest: {
             sha1: env.GITHUB_SHA,
           },
-          entryPoint: env.GITHUB_WORKFLOW_REF,
+          entryPoint: workflowPath,
         },
         parameters: {},
         environment: {
-          GITHUB_ACTOR_ID: env.GITHUB_ACTOR_ID,
           GITHUB_EVENT_NAME: env.GITHUB_EVENT_NAME,
           GITHUB_REF: env.GITHUB_REF,
-          GITHUB_REF_TYPE: env.GITHUB_REF_TYPE,
           GITHUB_REPOSITORY: env.GITHUB_REPOSITORY,
           GITHUB_REPOSITORY_ID: env.GITHUB_REPOSITORY_ID,
           GITHUB_REPOSITORY_OWNER_ID: env.GITHUB_REPOSITORY_OWNER_ID,
           GITHUB_RUN_ATTEMPT: env.GITHUB_RUN_ATTEMPT,
           GITHUB_RUN_ID: env.GITHUB_RUN_ID,
-          GITHUB_RUN_NUMBER: env.GITHUB_RUN_NUMBER,
           GITHUB_SHA: env.GITHUB_SHA,
           GITHUB_WORKFLOW_REF: env.GITHUB_WORKFLOW_REF,
           GITHUB_WORKFLOW_SHA: env.GITHUB_WORKFLOW_SHA,
@@ -53,7 +54,7 @@ const generateProvenance = async (subject, opts) => {
       },
       materials: [
         {
-          uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}`,
+          uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
           digest: {
             sha1: env.GITHUB_SHA,
           },