From 393e8d5455c41a31e0a5b43096d91d92a46b4e40 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Wed, 29 Sep 2021 15:24:43 +0200 Subject: [PATCH] Add feature to specify extra materials --- .github/workflows/example-local.yml | 11 +++++++++++ action.yaml | 5 +++++ create_provenance.go | 24 ++++++++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/.github/workflows/example-local.yml b/.github/workflows/example-local.yml index fe9ec32..b4d5058 100644 --- a/.github/workflows/example-local.yml +++ b/.github/workflows/example-local.yml @@ -12,11 +12,21 @@ jobs: - name: Create artifact run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt + # traditionally, the build code would generate this + - name: Create extra materials + run: | + echo '[{"uri": "pkg:deb/debian/stunnel4@5.50-3?arch=amd64", "digest": {"sha256": "e1731ae217fcbc64d4c00d707dcead45c828c5f762bcf8cc56d87de511e096fa"}}]' > extra-materials + - name: Upload artifact uses: actions/upload-artifact@v2 with: path: salsa.txt + - name: Upload extra materials + uses: actions/upload-artifact@v2 + with: + path: extra-materials + generate-provenance: needs: build name: Generate build provenance @@ -34,6 +44,7 @@ jobs: uses: ./ with: artifact_path: artifact/ + extra_material: '["artifact/extra-materials"]' - name: Upload provenance uses: actions/upload-artifact@v2 diff --git a/action.yaml b/action.yaml index bb984e8..038385d 100644 --- a/action.yaml +++ b/action.yaml @@ -19,6 +19,9 @@ inputs: description: 'internal (do not set): the "runner" context object in json' required: true default: ${{ toJSON(runner) }} + extra_material: + description: 'Paths to JSON files with extra materials for inclusion into the provenance' + default: '[]' runs: using: 'docker' image: 'Dockerfile' @@ -31,3 +34,5 @@ runs: - '${{ inputs.github_context }}' - "--runner_context" - '${{ inputs.runner_context }}' + - "--extra_material" + - '${{ inputs.extra_material }}' diff --git a/create_provenance.go b/create_provenance.go index 07934ac..2ec40a8 100644 --- a/create_provenance.go +++ b/create_provenance.go @@ -25,6 +25,7 @@ var ( outputPath = flag.String("output_path", "build.provenance", "The path to which the generated provenance should be written.") githubContext = flag.String("github_context", "", "The '${github}' context value.") runnerContext = flag.String("runner_context", "", "The '${runner}' context value.") + extraMaterial = flag.String("extra_material", "", "Files with extra materials as in-toto data to add.") ) type Envelope struct { @@ -166,6 +167,18 @@ func parseFlags() { } } +func getExtraMaterials(filename string) ([]Item, error) { + content, err := ioutil.ReadFile(filename) + var ret []Item + if err != nil { + return ret, err + } + if err = json.Unmarshal(content, &ret); err != nil { + return ret, err + } + return ret, nil +} + func main() { parseFlags() stmt := Statement{PredicateType: "https://slsa.dev/provenance/v0.1", Type: "https://in-toto.io/Statement/v0.1"} @@ -202,6 +215,10 @@ func main() { if err := json.Unmarshal([]byte(*runnerContext), &context.RunnerContext); err != nil { panic(err) } + var extraMaterials []string + if err := json.Unmarshal([]byte(*extraMaterial), &extraMaterials); err != nil { + panic(err) + } gh := context.GitHubContext // Remove access token from the generated provenance. context.GitHubContext.Token = "" @@ -217,6 +234,13 @@ func main() { } stmt.Predicate.Recipe.Arguments = event.Inputs stmt.Predicate.Materials = append(stmt.Predicate.Materials, Item{URI: "git+" + repoURI, Digest: DigestSet{"sha1": gh.SHA}}) + for _, filename := range extraMaterials { + infos, err := getExtraMaterials(filename) + if err != nil { + panic(err) + } + stmt.Predicate.Materials = append(stmt.Predicate.Materials, infos...) + } if os.Getenv("GITHUB_ACTIONS") == "true" { stmt.Predicate.Builder.Id = repoURI + GitHubHostedIdSuffix } else {