Update provenance.yaml #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2022 SLSA Authors | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| # This is a version of the delegator workflow that requires as few permissions | ||
| # as possible. TRWs may use this workflow so that they may request fewer | ||
| # GITHUB_TOKEN permissions from end-users. | ||
| name: SLSA low-permission builder delegator | ||
| permissions: {} | ||
| defaults: | ||
| run: | ||
| shell: bash | ||
| env: | ||
| SLSA_OUTPUTS_DIR: __SLSA_OUTPUTS_DIR__ | ||
| SLSA_ARTIFACTS_FILE: artifacts-layout.json | ||
| SLSA_PREDICATE_FILE: predicate.json | ||
| on: | ||
| workflow_call: | ||
| # Optional secrets provided as arguments are passed as inputs to the callback Action. | ||
| secrets: | ||
| secret1: | ||
| secret2: | ||
| secret3: | ||
| secret4: | ||
| secret5: | ||
| secret6: | ||
| secret7: | ||
| secret8: | ||
| secret9: | ||
| secret10: | ||
| secret11: | ||
| secret12: | ||
| secret13: | ||
| secret14: | ||
| secret15: | ||
| # Inputs provided as arguments are passed as inputs to the callback Action, | ||
| # formatted as a map. | ||
| inputs: | ||
| slsa-token: | ||
| description: "The signed SLSA token identifying the request" | ||
| required: true | ||
| type: string | ||
| # Outputs are provided to the caller TRW. | ||
| outputs: | ||
| # This contains all the ouputs of the callback Action, formatted as a map. | ||
| build-artifacts-outputs: | ||
| description: "The outputs from the build-artitacts Action, unchanged." | ||
| value: ${{ jobs.build-artifacts-ubuntu.outputs.outputs }} | ||
| # This is an output from the framework. | ||
| attestations-download-name: | ||
| description: > | ||
| Name of the artifact to download all the attestations. | ||
| Attestations are signed and have an "build.slsa" extension. | ||
| value: ${{ jobs.generate-provenance.outputs.attestations-download-name }} | ||
| attestations-download-sha256: | ||
| description: > | ||
| The sha256 digest of the attestations. | ||
| Users should verify the download against this digest to prevent tampering. | ||
| value: ${{ jobs.generate-provenance.outputs.attestations-download-sha256 }} | ||
| jobs: | ||
| # rng generates a random number to avoid name collision in artifacts | ||
| # when multiple workflows run concurrently. | ||
| rng: | ||
| outputs: | ||
| value: ${{ steps.rng.outputs.random }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Generate random 16-byte value (32-char hex encoded) | ||
| id: rng | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/rng@main | ||
| # verify-token verifies the slsa token. | ||
| verify-token: | ||
| runs-on: ubuntu-latest | ||
| needs: [rng] | ||
| permissions: | ||
| actions: read # For getting workflow run on private repos. | ||
| outputs: | ||
| slsa-verified-token: ${{ steps.verify.outputs.slsa-verified-token }} | ||
| tool-repository: ${{ steps.verify.outputs.tool-repository }} | ||
| tool-ref: ${{ steps.verify.outputs.tool-ref }} | ||
| predicate-sha256: ${{ steps.upload.outputs.sha256 }} | ||
| steps: | ||
| - name: Verify token | ||
| id: verify | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main | ||
| with: | ||
| slsa-workflow-recipient: "delegator_lowperms-generic_slsa3.yml" | ||
| slsa-unverified-token: ${{ inputs.slsa-token }} | ||
| output-predicate: ${{ env.SLSA_PREDICATE_FILE }} | ||
| builder-interface-type: "builder" | ||
| - name: Upload predicate | ||
| id: upload | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@main | ||
| with: | ||
| name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" | ||
| path: ${{ env.SLSA_PREDICATE_FILE }} | ||
| # privacy-check verifies that the user has agreed for their repository name to be made public, via the rekor log. | ||
| privacy-check: | ||
| needs: [rng, verify-token] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check private repos | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@main | ||
| with: | ||
| error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override." | ||
| override: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).builder.rekor_log_public }} | ||
| # build-artifacts-ubuntu builds the projects. | ||
| build-artifacts-ubuntu: | ||
| needs: [rng, verify-token, privacy-check] | ||
| if: fromJson(needs.verify-token.outputs.slsa-verified-token).builder.runner_label == 'ubuntu-latest' | ||
| outputs: | ||
| outputs: ${{ toJson(steps.build-artifacts-action.outputs) }} | ||
| artifacts-layout-sha256: ${{ steps.upload.outputs.sha256 }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read # To checkout private repos. | ||
| steps: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Build with Maven | ||
| run: mvn clean install -DskipTests # Pass -DskipTests to skip tests | ||
| - name: debug | ||
| env: | ||
| TOKEN: ${{ toJson(needs.verify-token.outputs.slsa-verified-token) }} | ||
| RUNNER: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).builder.runner_label }} | ||
| run: | | ||
| echo "$TOKEN: $TOKEN" | ||
| echo "$RUNNER: $RUNNER" | ||
| - name: Checkout the tool repository | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main | ||
| with: | ||
| repository: ${{ needs.verify-token.outputs.tool-repository }} | ||
| ref: ${{ needs.verify-token.outputs.tool-ref }} | ||
| path: __TOOL_CHECKOUT_DIR__ | ||
| - run: mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ | ||
| - name: Setup Action directory | ||
| env: | ||
| ACTION_PATH: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).tool.actions.build_artifacts.path }} | ||
| run: | | ||
| set -euo pipefail | ||
| mkdir -p ../__TOOL_ACTION_DIR__ | ||
| mv ../__TOOL_CHECKOUT_DIR__/"$ACTION_PATH"/* ../__TOOL_ACTION_DIR__/ | ||
| # Create the output directory. | ||
| mkdir "../$SLSA_OUTPUTS_DIR" | ||
| # Print for debugging | ||
| echo "ACTION_PATH=$ACTION_PATH" | ||
| tree | ||
| - name: Checkout the project repository | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main | ||
| with: | ||
| fetch-depth: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).source.checkout.fetch_depth }} | ||
| checkout-sha1: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).source.checkout.sha1 }} | ||
| # NOTE: This calls the Action defined in the slsa-token. | ||
| - name: Build artifacts | ||
| id: build-artifacts-action | ||
| uses: ./../__TOOL_ACTION_DIR__ | ||
| with: | ||
| slsa-workflow-inputs: ${{ toJson(fromJson(needs.verify-token.outputs.slsa-verified-token).tool.inputs) }} | ||
| slsa-layout-file: ../${{ env.SLSA_OUTPUTS_DIR }}/${{ env.SLSA_ARTIFACTS_FILE }} | ||
| slsa-workflow-secret1: ${{ secrets.secret1 }} | ||
| slsa-workflow-secret2: ${{ secrets.secret2 }} | ||
| slsa-workflow-secret3: ${{ secrets.secret3 }} | ||
| slsa-workflow-secret4: ${{ secrets.secret4 }} | ||
| slsa-workflow-secret5: ${{ secrets.secret5 }} | ||
| slsa-workflow-secret6: ${{ secrets.secret6 }} | ||
| slsa-workflow-secret7: ${{ secrets.secret7 }} | ||
| slsa-workflow-secret8: ${{ secrets.secret8 }} | ||
| slsa-workflow-secret9: ${{ secrets.secret9 }} | ||
| slsa-workflow-secret10: ${{ secrets.secret10 }} | ||
| slsa-workflow-secret11: ${{ secrets.secret11 }} | ||
| slsa-workflow-secret12: ${{ secrets.secret12 }} | ||
| slsa-workflow-secret13: ${{ secrets.secret13 }} | ||
| slsa-workflow-secret14: ${{ secrets.secret14 }} | ||
| slsa-workflow-secret15: ${{ secrets.secret15 }} | ||
| - name: debug | ||
| env: | ||
| OUTPUTS: ${{ toJson(steps.build-artifacts-action.outputs) }} | ||
| run: | | ||
| echo "OUTPUTS: $OUTPUTS" | ||
| # NOTE: Needed to upload the file. | ||
| - name: Move artifact layout file to workspace | ||
| run: | | ||
| set -euo pipefail | ||
| mv "../${{ env.SLSA_OUTPUTS_DIR }}/${{ env.SLSA_ARTIFACTS_FILE }}" "${{ env.SLSA_ARTIFACTS_FILE }}" | ||
| - name: Upload artifact layout file | ||
| id: upload | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@main | ||
| with: | ||
| name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" | ||
| path: "${{ env.SLSA_ARTIFACTS_FILE }}" | ||
| # generate-provenance generates and signs the provenance. | ||
| generate-provenance: | ||
| needs: [rng, verify-token, privacy-check, build-artifacts-ubuntu] | ||
| outputs: | ||
| attestations-download-name: "${{ needs.rng.outputs.value }}-slsa-attestations" | ||
| attestations-download-sha256: "${{ steps.upload.outputs.sha256 }}" | ||
| permissions: | ||
| id-token: write # Needed to sign | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Download the artifact layout file | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@main | ||
| with: | ||
| name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" | ||
| path: "${{ env.SLSA_ARTIFACTS_FILE }}" | ||
| sha256: ${{ needs.build-artifacts-ubuntu.outputs.artifacts-layout-sha256 }} | ||
| - name: Download the predicate file | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@main | ||
| with: | ||
| name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" | ||
| path: ${{ env.SLSA_PREDICATE_FILE }} | ||
| sha256: ${{ needs.verify-token.outputs.predicate-sha256 }} | ||
| - name: debug | ||
| run: | | ||
| echo "predicate file: $(cat ${{ env.SLSA_PREDICATE_FILE }})" | ||
| echo "artifact file: $(cat ${{ env.SLSA_ARTIFACTS_FILE }})" | ||
| - name: Set predicate-type | ||
| id: predicate-type | ||
| env: | ||
| SLSA_VERSION: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).slsaVersion }} | ||
| run: | | ||
| case "$SLSA_VERSION" in | ||
| "v0.2") | ||
| echo "predicate-type=https://slsa.dev/provenance/v0.2" >> "$GITHUB_OUTPUT" | ||
| ;; | ||
| "v1.0") | ||
| echo "predicate-type=https://slsa.dev/provenance/v1" >> "$GITHUB_OUTPUT" | ||
| ;; | ||
| *) | ||
| >&2 echo "Error: unknown SLSA version: ${SLSA_VERSION}" | ||
| exit 1 | ||
| esac | ||
| - name: Generate attestations | ||
| id: attestations | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@main | ||
| with: | ||
| slsa-layout-file: ${{ env.SLSA_ARTIFACTS_FILE }} | ||
| predicate-type: ${{ steps.predicate-type.outputs.predicate-type }} | ||
| predicate-file: ${{ env.SLSA_PREDICATE_FILE }} | ||
| output-folder: attestations | ||
| - name: Sign attestations | ||
| id: sign | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@main | ||
| with: | ||
| attestations: attestations | ||
| output-folder: "${{ needs.rng.outputs.value }}-slsa-attestations" | ||
| - name: Upload attestations | ||
| id: upload | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main | ||
| with: | ||
| name: "${{ needs.rng.outputs.value }}-slsa-attestations" | ||
| path: "${{ needs.rng.outputs.value }}-slsa-attestations" | ||
| # cleanup deletes internal artifacts used by the delegator workflow | ||
| cleanup: | ||
| runs-on: ubuntu-latest | ||
| needs: [rng, generate-provenance] | ||
| env: | ||
| RNG: ${{ needs.rng.outputs.value }} | ||
| steps: | ||
| - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 | ||
| with: | ||
| name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}" | ||
| - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 | ||
| with: | ||
| name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}" | ||
