verify-action-build: treat verifier-action refs as trust leaves

The sibling-step recognition added in the previous commit handles the
caller of a verifier (e.g. sbt/setup-sbt using carabiner-dev/actions/
ampel/verify), but the recursive walker still descended into the
verifier action itself and surfaced its bootstrap installer
(carabiner-dev/actions/install/ampel) as an unverified download.

The bootstrap installer cannot itself verify the verifier binary
(chicken-and-egg). Treat the hash-pinned verifier ref as a trust
leaf — same handling as TRUSTED_ORGS — so the walker stops there.

The trust anchor is the hash-pinned commit of the verifier action
itself; ASF's separate allowlist review covers admission of new
verifier refs to the trust set.

Generated-by: Claude Opus 4.7 (1M context) <[email protected]>

Author: potiuk

utils/tests/verify_action_build/test_security.py

@@ -482,6 +482,33 @@ def fake_action_yml(org, repo, commit, sub_path=""):
                 )
         assert failures == []
 
+    def test_skips_trusted_verifier_ref(self):
+        # Mirrors sbt/setup-sbt → carabiner-dev/actions/ampel/verify →
+        # install/ampel: descending into the verifier surfaces a bootstrap
+        # installer that can't verify itself. The walker treats the verifier
+        # ref as a trust leaf and stops there.
+        root_yml = """\
+name: Root
+runs:
+  using: composite
+  steps:
+    - uses: carabiner-dev/actions/ampel/verify@dddddddddddddddddddddddddddddddddddddddd
+"""
+
+        def fake_action_yml(org, repo, commit, sub_path=""):
+            if org == "myorg":
+                return root_yml
+            raise AssertionError(
+                f"should not fetch nested yml for {org}/{repo}/{sub_path}"
+            )
+
+        with mock.patch("verify_action_build.security.fetch_action_yml", side_effect=fake_action_yml):
+            with mock.patch("verify_action_build.security.fetch_file_from_github", return_value=None):
+                warnings, failures = analyze_binary_downloads_recursive(
+                    "myorg", "rootrepo", "b" * 40,
+                )
+        assert failures == []
+
 
 class TestAnalyzeRepoMetadata:
     def test_mit_license_detected(self):

utils/verify_action_build/security.py

@@ -41,6 +41,24 @@
 # Orgs we trust to the point of not descending into their nested action graph.
 TRUSTED_ORGS = {"actions", "github"}
 
+# Verifier-action references that are treated as trust leaves. When a parent
+# action.yml `uses:` one of these, the walker yields the visit as a stub and
+# does not descend into the verifier's own action graph.
+#
+# Why: a verification action is itself the root of the artifact-trust chain
+# from its caller's perspective. Descending in would surface its bootstrap
+# installer (e.g. carabiner-dev/actions/install/ampel), which downloads the
+# verifier binary without an inline checksum/signature — a chicken-and-egg
+# problem the installer cannot solve. We accept the verifier ref's
+# hash-pinned commit as the trust anchor instead.
+#
+# Each entry is (org, repo, sub_path). Keep in sync with
+# `_VERIFICATION_USES_PATTERNS` below — same identities, different layer.
+TRUSTED_VERIFIER_REFS: set[tuple[str, str, str]] = {
+    ("carabiner-dev", "actions", "ampel/verify"),
+    ("slsa-framework", "slsa-verifier-action", ""),
+}
+
 # Exemptions file for the lock-file-presence check.  Path matches the
 # convention used by approved_actions.ACTIONS_YML.
 LOCK_FILE_EXEMPTIONS_YML = (
@@ -161,7 +179,7 @@ def _walk(
             )
             return
 
-        trusted = o in TRUSTED_ORGS
+        trusted = o in TRUSTED_ORGS or (o, r, s) in TRUSTED_VERIFIER_REFS
         if depth > 0 and trusted:
             yield VisitedAction(
                 org=o, repo=r, commit_hash=c, sub_path=s, depth=depth,