revert: "feat: Make possible to provide image as a secret"

.github/workflows/generator_container_slsa3.yml

@@ -45,6 +45,7 @@ on:
     inputs:
       image:
         description: "The OCI image name. This must not include a tag or digest."
+        required: true
         type: string
       digest:
         description: "The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')"
@@ -176,7 +177,6 @@ jobs:
         continue-on-error: true
         env:
           UNTRUSTED_IMAGE: "${{ inputs.image }}"
-          UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
           UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}"
           UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}"
           UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
@@ -190,7 +190,7 @@ jobs:
           # See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
           untrusted_registry="docker.io"
           # NOTE: Do not fail the script if grep does not match.
-          maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
+          maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
           if [ "${maybe_domain}" != "" ]; then
             untrusted_registry="${maybe_domain}"
           fi
@@ -264,7 +264,6 @@ jobs:
         continue-on-error: true
         env:
           UNTRUSTED_IMAGE: "${{ inputs.image }}"
-          UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
           UNTRUSTED_DIGEST: "${{ inputs.digest }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
           UNTRUSTED_PROVENANCE_REGISTRY: "${{ inputs.provenance-registry }}"
@@ -283,7 +282,7 @@ jobs:
           cosign attest --predicate="$predicate_name" \
             --type slsaprovenance \
             --yes \
-            "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}"
+            "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
 
       - name: Final outcome
         id: final

CHANGELOG.md

@@ -9,9 +9,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- toc -->
 
-- [Unreleased](#unreleased)
-  - [Changes](#changes)
-    - [Container generator](#container-generator)
 - [v1.9.0](#v190)
   - [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta)
   - [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta)
@@ -28,15 +25,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
       - [New Features](#new-features)
     - [Generic generator](#generic-generator)
       - [New Features](#new-features-1)
-    - [Container generator](#container-generator-1)
+    - [Container generator](#container-generator)
   - [Changelog since v1.5.0](#changelog-since-v150)
 - [v1.5.0](#v150)
   - [Summary of changes](#summary-of-changes-1)
     - [Go builder](#go-builder-1)
       - [New Features](#new-features-2)
     - [Generic generator](#generic-generator-1)
       - [New Features](#new-features-3)
-    - [Container generator](#container-generator-2)
+    - [Container generator](#container-generator-1)
       - [New Features](#new-features-4)
   - [Changelog since v1.4.0](#changelog-since-v140)
 - [v1.4.0](#v140)
@@ -95,15 +92,6 @@ Information on the next release will be added here.
 Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name
 duplication."
 -->
-## Unreleased
-
-This section includes upcoming changes which are not included in the latest release.
-
-### Changes
-
-#### Container generator
-
-- **Added**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917))
 
 ## v1.9.0
 

internal/builders/container/README.md

@@ -205,8 +205,8 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator
 Inputs:
 
 | Name                             | Description                                                                                                                                                                                                                                                                             |
-|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `image`                          | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value.                                                                                                        |
+| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `image`                          | **(Required)** The OCI image name. This must not include a tag or digest.                                                                                                                                                                                                               |
 | `digest`                         | **(Required)** The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')                                                                                                                                                                      |
 | `registry-username`              | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required.                                                                                                                                                                  |
 | `compile-generator`              | Whether to build the generator from source. This increases build time by ~2m.<br>Default: `false`.                                                                                                                                                                                      |
@@ -232,15 +232,15 @@ Secrets:
 The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following outputs:
 
 | Name      | Description                                                                                     |
-|-----------|-------------------------------------------------------------------------------------------------|
+| --------- | ----------------------------------------------------------------------------------------------- |
 | `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). |
 
 ### Provenance Format
 
 The project generates SLSA provenance with the following values.
 
 | Name                         | Value                                                                    | Description                                                                                                                                                                                                            |
-|------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `buildType`                  | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build.                                                                                                                                                                                 |
 | `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"`                                               | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |