forked from slsa-framework/slsa-github-generator
-
Notifications
You must be signed in to change notification settings - Fork 0
305 lines (270 loc) · 11.8 KB
/
delegator_lowperms-generic_slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
# Copyright 2022 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This is a version of the delegator workflow that requires as few permissions
# as possible. TRWs may use this workflow so that they may request fewer
# GITHUB_TOKEN permissions from end-users.
name: SLSA low-permission builder delegator
permissions: {}
defaults:
run:
shell: bash
env:
SLSA_OUTPUTS_DIR: __SLSA_OUTPUTS_DIR__
SLSA_ARTIFACTS_FILE: artifacts-layout.json
SLSA_PREDICATE_FILE: predicate.json
on:
workflow_call:
# Optional secrets provided as arguments are passed as inputs to the callback Action.
secrets:
secret1:
secret2:
secret3:
secret4:
secret5:
secret6:
secret7:
secret8:
secret9:
secret10:
secret11:
secret12:
secret13:
secret14:
secret15:
# Inputs provided as arguments are passed as inputs to the callback Action,
# formatted as a map.
inputs:
slsa-token:
description: "The signed SLSA token identifying the request"
required: true
type: string
# Outputs are provided to the caller TRW.
outputs:
# This contains all the ouputs of the callback Action, formatted as a map.
build-artifacts-outputs:
description: "The outputs from the build-artitacts Action, unchanged."
value: ${{ jobs.build-artifacts-ubuntu.outputs.outputs }}
# This is an output from the framework.
attestations-download-name:
description: >
Name of the artifact to download all the attestations.
Attestations are signed and have an "build.slsa" extension.
value: ${{ jobs.generate-provenance.outputs.attestations-download-name }}
attestations-download-sha256:
description: >
The sha256 digest of the attestations.
Users should verify the download against this digest to prevent tampering.
value: ${{ jobs.generate-provenance.outputs.attestations-download-sha256 }}
jobs:
# rng generates a random number to avoid name collision in artifacts
# when multiple workflows run concurrently.
rng:
outputs:
value: ${{ steps.rng.outputs.random }}
runs-on: ubuntu-latest
steps:
- name: Generate random 16-byte value (32-char hex encoded)
id: rng
uses: slsa-framework/slsa-github-generator/.github/actions/rng@main
# verify-token verifies the slsa token.
verify-token:
runs-on: ubuntu-latest
needs: [rng]
permissions:
actions: read # For getting workflow run on private repos.
outputs:
slsa-verified-token: ${{ steps.verify.outputs.slsa-verified-token }}
tool-repository: ${{ steps.verify.outputs.tool-repository }}
tool-ref: ${{ steps.verify.outputs.tool-ref }}
predicate-sha256: ${{ steps.upload.outputs.sha256 }}
steps:
- name: Verify token
id: verify
uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main
with:
slsa-workflow-recipient: "delegator_lowperms-generic_slsa3.yml"
slsa-unverified-token: ${{ inputs.slsa-token }}
output-predicate: ${{ env.SLSA_PREDICATE_FILE }}
builder-interface-type: "builder"
- name: Upload predicate
id: upload
uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@main
with:
name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}"
path: ${{ env.SLSA_PREDICATE_FILE }}
# privacy-check verifies that the user has agreed for their repository name to be made public, via the rekor log.
privacy-check:
needs: [rng, verify-token]
runs-on: ubuntu-latest
steps:
- name: Check private repos
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@main
with:
error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override."
override: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).builder.rekor_log_public }}
# build-artifacts-ubuntu builds the projects.
build-artifacts-ubuntu:
needs: [rng, verify-token, privacy-check]
if: fromJson(needs.verify-token.outputs.slsa-verified-token).builder.runner_label == 'ubuntu-latest'
outputs:
outputs: ${{ toJson(steps.build-artifacts-action.outputs) }}
artifacts-layout-sha256: ${{ steps.upload.outputs.sha256 }}
runs-on: ubuntu-latest
permissions:
contents: read # To checkout private repos.
steps:
- name: debug
env:
TOKEN: ${{ toJson(needs.verify-token.outputs.slsa-verified-token) }}
RUNNER: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).builder.runner_label }}
run: |
echo "$TOKEN: $TOKEN"
echo "$RUNNER: $RUNNER"
- name: Checkout the tool repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: ${{ needs.verify-token.outputs.tool-repository }}
ref: ${{ needs.verify-token.outputs.tool-ref }}
path: __TOOL_CHECKOUT_DIR__
- run: mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__
- name: Setup Action directory
env:
ACTION_PATH: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).tool.actions.build_artifacts.path }}
run: |
set -euo pipefail
mkdir -p ../__TOOL_ACTION_DIR__
mv ../__TOOL_CHECKOUT_DIR__/"$ACTION_PATH"/* ../__TOOL_ACTION_DIR__/
# Create the output directory.
mkdir "../$SLSA_OUTPUTS_DIR"
# Print for debugging
echo "ACTION_PATH=$ACTION_PATH"
tree
- name: Checkout the project repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
with:
fetch-depth: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).source.checkout.fetch_depth }}
checkout-sha1: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).source.checkout.sha1 }}
# NOTE: This calls the Action defined in the slsa-token.
- name: Build artifacts
id: build-artifacts-action
uses: ./../__TOOL_ACTION_DIR__
with:
slsa-workflow-inputs: ${{ toJson(fromJson(needs.verify-token.outputs.slsa-verified-token).tool.inputs) }}
slsa-layout-file: ../${{ env.SLSA_OUTPUTS_DIR }}/${{ env.SLSA_ARTIFACTS_FILE }}
slsa-workflow-secret1: ${{ secrets.secret1 }}
slsa-workflow-secret2: ${{ secrets.secret2 }}
slsa-workflow-secret3: ${{ secrets.secret3 }}
slsa-workflow-secret4: ${{ secrets.secret4 }}
slsa-workflow-secret5: ${{ secrets.secret5 }}
slsa-workflow-secret6: ${{ secrets.secret6 }}
slsa-workflow-secret7: ${{ secrets.secret7 }}
slsa-workflow-secret8: ${{ secrets.secret8 }}
slsa-workflow-secret9: ${{ secrets.secret9 }}
slsa-workflow-secret10: ${{ secrets.secret10 }}
slsa-workflow-secret11: ${{ secrets.secret11 }}
slsa-workflow-secret12: ${{ secrets.secret12 }}
slsa-workflow-secret13: ${{ secrets.secret13 }}
slsa-workflow-secret14: ${{ secrets.secret14 }}
slsa-workflow-secret15: ${{ secrets.secret15 }}
- name: debug
env:
OUTPUTS: ${{ toJson(steps.build-artifacts-action.outputs) }}
run: |
echo "OUTPUTS: $OUTPUTS"
# NOTE: Needed to upload the file.
- name: Move artifact layout file to workspace
run: |
set -euo pipefail
mv "../${{ env.SLSA_OUTPUTS_DIR }}/${{ env.SLSA_ARTIFACTS_FILE }}" "${{ env.SLSA_ARTIFACTS_FILE }}"
- name: Upload artifact layout file
id: upload
uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@main
with:
name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}"
path: "${{ env.SLSA_ARTIFACTS_FILE }}"
# generate-provenance generates and signs the provenance.
generate-provenance:
needs: [rng, verify-token, privacy-check, build-artifacts-ubuntu]
outputs:
attestations-download-name: "${{ needs.rng.outputs.value }}-slsa-attestations"
attestations-download-sha256: "${{ steps.upload.outputs.sha256 }}"
permissions:
id-token: write # Needed to sign
runs-on: ubuntu-latest
steps:
- name: Download the artifact layout file
uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@main
with:
name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}"
path: "${{ env.SLSA_ARTIFACTS_FILE }}"
sha256: ${{ needs.build-artifacts-ubuntu.outputs.artifacts-layout-sha256 }}
- name: Download the predicate file
uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@main
with:
name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}"
path: ${{ env.SLSA_PREDICATE_FILE }}
sha256: ${{ needs.verify-token.outputs.predicate-sha256 }}
- name: debug
run: |
echo "predicate file: $(cat ${{ env.SLSA_PREDICATE_FILE }})"
echo "artifact file: $(cat ${{ env.SLSA_ARTIFACTS_FILE }})"
- name: Set predicate-type
id: predicate-type
env:
SLSA_VERSION: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).slsaVersion }}
run: |
case "$SLSA_VERSION" in
"v0.2")
echo "predicate-type=https://slsa.dev/provenance/v0.2" >> "$GITHUB_OUTPUT"
;;
"v1.0")
echo "predicate-type=https://slsa.dev/provenance/v1" >> "$GITHUB_OUTPUT"
;;
*)
>&2 echo "Error: unknown SLSA version: ${SLSA_VERSION}"
exit 1
esac
- name: Generate attestations
id: attestations
uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@main
with:
slsa-layout-file: ${{ env.SLSA_ARTIFACTS_FILE }}
predicate-type: ${{ steps.predicate-type.outputs.predicate-type }}
predicate-file: ${{ env.SLSA_PREDICATE_FILE }}
output-folder: attestations
- name: Sign attestations
id: sign
uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@main
with:
attestations: attestations
output-folder: "${{ needs.rng.outputs.value }}-slsa-attestations"
- name: Upload attestations
id: upload
uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main
with:
name: "${{ needs.rng.outputs.value }}-slsa-attestations"
path: "${{ needs.rng.outputs.value }}-slsa-attestations"
# cleanup deletes internal artifacts used by the delegator workflow
cleanup:
runs-on: ubuntu-latest
needs: [rng, generate-provenance]
env:
RNG: ${{ needs.rng.outputs.value }}
steps:
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with:
name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}"
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with:
name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}"