-
Notifications
You must be signed in to change notification settings - Fork 138
183 lines (172 loc) · 8.08 KB
/
generator_generic_slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# Copyright 2022 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: SLSA provenance generator
permissions:
contents: read
env:
# Generator
BUILDER_BINARY: slsa-generator-generic-linux-amd64 # Name of the binary in the release assets.
BUILDER_DIR: internal/builders/generic # Source directory if we compile the builder.
on:
workflow_call:
inputs:
base64-subjects:
description: "Artifacts for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\\n[...]) and base64 encoded."
required: true
type: string
upload-assets:
description: "If true provenance is uploaded to a GitHub release for new tags."
required: false
type: boolean
default: false
attestation-name:
description: "The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to <filename>.intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts. DEPRECATED: Use provenance-name instead."
required: false
type: string
provenance-name:
description: The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to <filename>.intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts.
required: false
type: string
compile-generator:
description: "Build the generator from source. This increases build time by ~2m."
required: false
type: boolean
default: false
private-repository:
description: "If true, private repositories can post to the public transparency log."
required: false
type: boolean
default: false
outputs:
release-id:
description: "The name of the release where provenance was uploaded."
value: ${{ jobs.create-release.outputs.release-id }}
attestation-name:
description: "DEPRECATED: use the provenance-name output instead."
value: ${{ jobs.generator.outputs.provenance-name }}
provenance-name:
description: "The artifact name of the signed provenance. (A file with the intoto.jsonl extension)."
value: ${{ jobs.generator.outputs.provenance-name }}
jobs:
privacy-check:
runs-on: ubuntu-latest
steps:
- name: Check private repos
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@a3c7a56c8749c2c423f01bbcfd063315efc07a22
with:
error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override."
override: ${{ inputs.private-repository }}
# detect-env detects the reusable workflow's repository and ref for use later
# in the workflow.
detect-env:
outputs:
repository: ${{ steps.detect.outputs.repository }}
ref: ${{ steps.detect.outputs.ref }}
runs-on: ubuntu-latest
permissions:
id-token: write # Needed to detect the current reusable repository and ref.
steps:
- name: Detect the generator ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@e3220805577deb9d193f64e519abcb3b50851df5
# generator builds the generator binary and runs it to generate SLSA
# provenance.
#
# If `compile-generator` is true then the generator is compiled
# from source at the ref detected by `detect-env`.
#
# If `compile-generator` is false, then the generator binary is downloaded
# with the release at the ref detected by `detect-env`. This must be a tag
# reference.
generator:
outputs:
provenance-sha256: ${{ steps.sign-prov.outputs.provenance-sha256 }}
provenance-name: ${{ steps.sign-prov.outputs.provenance-name }}
runs-on: ubuntu-latest
needs: [privacy-check, detect-env]
permissions:
id-token: write # Needed to create an OIDC token for keyless signing.
contents: read
actions: read # Needed to read workflow info.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@e3220805577deb9d193f64e519abcb3b50851df5
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
go-version: 1.18
binary: "${{ env.BUILDER_BINARY }}"
compile-builder: "${{ inputs.compile-generator }}"
directory: "${{ env.BUILDER_DIR }}"
- name: Create and sign provenance
id: sign-prov
shell: bash
# NOTE: Inputs and `github` context are set to environment variables in
# order to avoid script injection.
# See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
env:
GITHUB_CONTEXT: "${{ toJSON(github) }}"
UNTRUSTED_SUBJECTS: "${{ inputs.base64-subjects }}"
UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}"
UNTRUSTED_DEPRECATED_ATTESTATION_NAME: "${{ inputs.attestation-name }}"
run: |
set -euo pipefail
untrusted_provenance_name=""
if [ "$UNTRUSTED_PROVENANCE_NAME" != "" ]; then
untrusted_provenance_name="$UNTRUSTED_PROVENANCE_NAME"
else
if [ "$UNTRUSTED_DEPRECATED_ATTESTATION_NAME" != "" ]; then
echo "WARNING: deprecated attestation-name was used. Use provenance-name instead."
untrusted_provenance_name="$UNTRUSTED_DEPRECATED_ATTESTATION_NAME"
fi
fi
# Create and sign provenance.
# NOTE: The builder verifies that the provenance path is located
# in the current directory.
# NOTE: $untrusted_provenance_path may be empty. In this case the
# attest command chooses a file name based on the subject name and
# number of subjects based on in-toto attestation bundle file naming conventions.
# See: https://github.com/in-toto/attestation/blob/main/spec/bundle.md#file-naming-convention
# NOTE: The attest commmand outputs the provenance-name and provenance-sha256
./"$BUILDER_BINARY" attest --subjects "${UNTRUSTED_SUBJECTS}" -g "$untrusted_provenance_name"
- name: Upload the signed provenance
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
name: "${{ steps.sign-prov.outputs.provenance-name }}"
path: "${{ steps.sign-prov.outputs.provenance-name }}"
if-no-files-found: error
retention-days: 5
# create-release creates a release and uploads provenance to the release if
# `upload-assets` is true.
create-release:
outputs:
release-id: ${{ steps.release.outputs.id }}
runs-on: ubuntu-latest
needs: [generator]
permissions:
contents: write # Needed to write artifacts to a release.
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
steps:
- name: Download the provenance
uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@e3220805577deb9d193f64e519abcb3b50851df5
with:
name: "${{ needs.generator.outputs.provenance-name }}"
path: "${{ needs.generator.outputs.provenance-name }}"
sha256: "${{ needs.generator.outputs.provenance-sha256 }}"
- name: Release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
id: release
with:
files: |
${{ needs.generator.outputs.provenance-name }}