From a9d70268a0e6081d8d9e0e9fd3f58e4da5f19786 Mon Sep 17 00:00:00 2001 From: Danil Grigorev Date: Thu, 26 Oct 2023 22:42:13 +0200 Subject: [PATCH 1/3] Make possible to provide image as a secret Add option to provide image as a secret for private registries. Signed-off-by: Danil Grigorev --- .github/workflows/generator_container_slsa3.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index f9983d061d..7c36b2339f 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -32,10 +32,11 @@ on: description: "Username to log into the container registry." registry-password: description: "Password to log in the container registry." + image: + description: "The OCI image name. This must not include a tag or digest." inputs: image: description: "The OCI image name. This must not include a tag or digest." - required: true type: string digest: description: "The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...')" @@ -157,6 +158,7 @@ jobs: continue-on-error: true env: UNTRUSTED_IMAGE: "${{ inputs.image }}" + UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}" UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}" UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}" UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}" @@ -170,7 +172,7 @@ jobs: # See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949 untrusted_registry="docker.io" # NOTE: Do not fail the script if grep does not match. - maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; }) + maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; }) if [ "${maybe_domain}" != "" ]; then untrusted_registry="${maybe_domain}" fi @@ -199,6 +201,7 @@ jobs: continue-on-error: true env: UNTRUSTED_IMAGE: "${{ inputs.image }}" + UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}" UNTRUSTED_DIGEST: "${{ inputs.digest }}" GITHUB_CONTEXT: "${{ toJSON(github) }}" run: | @@ -211,7 +214,7 @@ jobs: COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \ --type slsaprovenance \ --yes \ - "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}" + "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}" - name: Final outcome id: final From a1078db98da2046d47e18455acdb0f1f6c22a07d Mon Sep 17 00:00:00 2001 From: Danil Grigorev Date: Fri, 27 Oct 2023 11:25:05 +0200 Subject: [PATCH 2/3] Add unreleased section in changelog, secret image as input Signed-off-by: Danil Grigorev --- CHANGELOG.md | 16 ++++++++++++++-- internal/builders/container/README.md | 11 ++++++----- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fe9fe47fc..afec59322d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 +- [Unreleased](#unreleased) + - [Changes](#changes) + - [Container generator](#container-generator) - [v1.9.0](#v190) - [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta) - [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta) @@ -25,7 +28,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [New Features](#new-features) - [Generic generator](#generic-generator) - [New Features](#new-features-1) - - [Container generator](#container-generator) + - [Container generator](#container-generator-1) - [Changelog since v1.5.0](#changelog-since-v150) - [v1.5.0](#v150) - [Summary of changes](#summary-of-changes-1) @@ -33,7 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [New Features](#new-features-2) - [Generic generator](#generic-generator-1) - [New Features](#new-features-3) - - [Container generator](#container-generator-1) + - [Container generator](#container-generator-2) - [New Features](#new-features-4) - [Changelog since v1.4.0](#changelog-since-v140) - [v1.4.0](#v140) @@ -92,6 +95,15 @@ Information on the next release will be added here. Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name duplication." --> +## Unreleased + +This section includes upcoming changes which are not included in the latest release. + +### Changes + +#### Container generator + +- **Fixed**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917)) ## v1.9.0 diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 7686c0e2c9..148fa9e733 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -204,8 +204,8 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator Inputs: | Name | Description | -| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `image` | **(Required)** The OCI image name. This must not include a tag or digest. | +|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. | | `digest` | **(Required)** The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...') | | `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. | | `compile-generator` | Whether to build the generator from source. This increases build time by ~2m.
Default: `false`. | @@ -217,7 +217,8 @@ Inputs: Secrets: | Name | Description | -| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. Should be used in scenarios when the image name contains secret values, and therefore can't be provided directly. Use case - an undisclosed private registry use. | | `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the `registry-username` input instead. | | `registry-password` | **(Required)** Password to log in the container registry. | @@ -226,7 +227,7 @@ Secrets: The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following outputs: | Name | Description | -| --------- | ----------------------------------------------------------------------------------------------- | +|-----------|-------------------------------------------------------------------------------------------------| | `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). | ### Provenance Format @@ -234,7 +235,7 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator The project generates SLSA provenance with the following values. | Name | Value | Description | -| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `buildType` | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build. | | `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. | From ac3ccaf5218dff18a77c3f87a71eb21219e53359 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 27 Oct 2023 21:18:32 +0900 Subject: [PATCH 3/3] Update CHANGELOG.md Signed-off-by: Ian Lewis --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index afec59322d..2adb23321d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -103,7 +103,7 @@ This section includes upcoming changes which are not included in the latest rele #### Container generator -- **Fixed**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917)) +- **Added**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917)) ## v1.9.0