Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Make possible to provide image as a secret #2918

Merged
merged 3 commits into from
Oct 27, 2023
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions .github/workflows/generator_container_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,11 @@ on:
description: "Username to log into the container registry."
registry-password:
description: "Password to log in the container registry."
image:
description: "The OCI image name. This must not include a tag or digest."
inputs:
image:
description: "The OCI image name. This must not include a tag or digest."
required: true
type: string
digest:
description: "The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')"
Expand Down Expand Up @@ -157,6 +158,7 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}"
UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}"
UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
Expand All @@ -170,7 +172,7 @@ jobs:
# See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
untrusted_registry="docker.io"
# NOTE: Do not fail the script if grep does not match.
maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
if [ "${maybe_domain}" != "" ]; then
untrusted_registry="${maybe_domain}"
fi
Expand Down Expand Up @@ -199,6 +201,7 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_DIGEST: "${{ inputs.digest }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
run: |
Expand All @@ -211,7 +214,7 @@ jobs:
COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
--yes \
"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
"${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}"

- name: Final outcome
id: final
Expand Down
16 changes: 14 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

<!-- toc -->

- [Unreleased](#unreleased)
- [Changes](#changes)
- [Container generator](#container-generator)
- [v1.9.0](#v190)
- [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta)
- [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta)
Expand All @@ -25,15 +28,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- [New Features](#new-features)
- [Generic generator](#generic-generator)
- [New Features](#new-features-1)
- [Container generator](#container-generator)
- [Container generator](#container-generator-1)
- [Changelog since v1.5.0](#changelog-since-v150)
- [v1.5.0](#v150)
- [Summary of changes](#summary-of-changes-1)
- [Go builder](#go-builder-1)
- [New Features](#new-features-2)
- [Generic generator](#generic-generator-1)
- [New Features](#new-features-3)
- [Container generator](#container-generator-1)
- [Container generator](#container-generator-2)
- [New Features](#new-features-4)
- [Changelog since v1.4.0](#changelog-since-v140)
- [v1.4.0](#v140)
Expand Down Expand Up @@ -92,6 +95,15 @@ Information on the next release will be added here.
Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name
duplication."
-->
## Unreleased

This section includes upcoming changes which are not included in the latest release.

### Changes

#### Container generator

- **Fixed**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917))
ianlewis marked this conversation as resolved.
Show resolved Hide resolved

## v1.9.0

Expand Down
11 changes: 6 additions & 5 deletions internal/builders/container/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,8 +204,8 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator
Inputs:

| Name | Description |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `image` | **(Required)** The OCI image name. This must not include a tag or digest. |
|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. |
| `digest` | **(Required)** The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...') |
| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. |
| `compile-generator` | Whether to build the generator from source. This increases build time by ~2m.<br>Default: `false`. |
Expand All @@ -217,7 +217,8 @@ Inputs:
Secrets:

| Name | Description |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. Should be used in scenarios when the image name contains secret values, and therefore can't be provided directly. Use case - an undisclosed private registry use. |
| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the `registry-username` input instead. |
| `registry-password` | **(Required)** Password to log in the container registry. |

Expand All @@ -226,15 +227,15 @@ Secrets:
The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following outputs:

| Name | Description |
| --------- | ----------------------------------------------------------------------------------------------- |
|-----------|-------------------------------------------------------------------------------------------------|
| `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). |

### Provenance Format

The project generates SLSA provenance with the following values.

| Name | Value | Description |
| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `buildType` | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build. |
| `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |

Expand Down