Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
fix(docker_pwd) remove extra input (#130)
Browse files Browse the repository at this point in the history 
* fix(docker_pwd) remove extra input

* fix(action) update release info

* fix(readme/entrypoint) update doc and use token.

* fix(action) set github token to require

use original input env for docker login
  • Loading branch information
@ybelMekk
ybelMekk committed Nov 16, 2022
1 parent 5788c8b commit e1cc35b
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 37 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/keyless-salsa-integration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,6 @@ jobs:
uses: ./
with:
identity_token: ${{ steps.google.outputs.id_token }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
env:
COSIGN_EXPERIMENTAL: "true"
2 changes: 1 addition & 1 deletion .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ on:
- 'Makefile'

env:
VERSION: v0.5
VERSION: v0.6
IMAGE_NAME: ghcr.io/${{ github.repository }}
COSIGN_VERSION: v1.13.1
SYFT_VERSION: v0.44.1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/service-account-salsa-integration.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
uses: ./
with:
key: ${{ secrets.SALSA_KMS_KEY }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
# For demonstration purpose
- name: Upload provenance
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3
Expand Down
46 changes: 22 additions & 24 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ jobs:
uses: nais/salsa@v0.x
with:
key: ${{ env.KEY }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
```

##### Google Authentication
Expand All @@ -205,7 +205,7 @@ account json key.
`with.key` is the key [URI format](https://github.com/sigstore/cosign/blob/main/KMS.md#gcp) for Google KMS.
Format: `gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION`

`with.docker_pwd` is the GitHub token to authenticate with the registry.
`with.github_token` is the GitHub token to authenticate with the registry.

### Keyless Signatures

Expand Down Expand Up @@ -264,7 +264,7 @@ jobs:
uses: nais/salsa@v0.x
with:
identity_token: ${{ steps.google.outputs.id_token }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
env:
COSIGN_EXPERIMENTAL: "true"
```
Expand Down Expand Up @@ -293,7 +293,7 @@ The described `with` fields is required for `nais salsa`.
`with.identity_token` is the output `identity_token` from the Google Auth Action.
Format: `steps.steps-id.outputs.id_token`

`with.docker_pwd` is the GitHub token to authenticate with the registry. The password is used by `nais salsa` to
`with.github_token` is the GitHub token to authenticate with the registry. The password is used by `nais salsa` to
authenticate with the registry to download the image for Cosign to sign and push attestation to the registry.

`with.env.COSIGN_EXPERIMENTAL` is required to be set to `true` for Cosign to enable keyless signatures.
Expand All @@ -310,12 +310,12 @@ the [cosign docs](https://github.com/sigstore/cosign#specifying-registry)
uses: nais/salsa@v0.x
with:
key: ${{ secrets.SALSA_KMS_KEY }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
env:
COSIGN_REPOSITORY: "registry.io/signatures"
```

Actor must be sure that `with.docker_pwd` has access to the signature repository.
Actor must be sure that `with.github_token` has access to the signature repository.

## Customizing

Expand All @@ -339,7 +339,6 @@ build tool can authenticate with a `PAT`. Use the `with.github_token` field to a
Currently only supports the maven command cli option `-s`, specifying a settings.xml file.

Useful when your project depends on a custom maven settings file or use dependencies from a private repository.

If project depends on dependencies from a private repository, actor need to set GitHub [private token](#access-private-repositories) with proper access right.

```yaml
Expand All @@ -366,23 +365,22 @@ the [Runner context](https://docs.github.com/en/actions/learn-github-actions/con

The Following inputs can be used as `step.with` keys

| Name | Type | Default | Description | Required |
|---------------------|--------|:----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| `docker_pwd` | String | "" | Password for docker | True |
| `key` | String | "" | Private key (cosign.key) or kms provider, used for signing the attestation | False |
| `identity_token` | String | "" | Identity token used for Cosign keyless authentication | False |
| `image` | String | $IMAGE | The container image to create a attestation for | False |
| `docker_user` | String | github.actor | User to login to container registry | False |
| `repo_name` | String | github.repository | The name of the repo/project | False |
| `repo_sub_dir` | String | "" | Specify a subdirectory if build file not found in working root directory | False |
| `dependencies` | Bool | true | Set to false if action should not create materials for dependencies (e.g. if build tool is unsupported or repo uses internal/private dependencies) | False |
| `github_token` | String | "" | Token to authenticate and read private packages, the token must have read:packages scope | False |
| `token_key_pattern` | String | "" | If a token is provided but the the key pattern is different from the default key pattern "GITHUB_TOKEN" | False |
| `build_started_on` | String | "" | Specify a workflow build start time. Default is set to github_context `event.head_commit` or `event.workflow_run.head_commit` depending on workflow usage | False |
| `mvn_opts` | String | "" | A comma-delimited string with additional maven cli options for the dependence build | False |
| `repo_dir` | String | $GITHUB_WORKSPACE | **Internal value (do not set):** Root of directory to look for build files | False |
| `github_context` | String | ${{ toJSON(github) }} | **Internal value (do not set):** the [github context](#github-context) object in json | False |
| `runner_context` | String | ${{ toJSON(runner) }} | **Internal value (do not set):** the [runner context](#runner-context) object in json | False |
| Name | Type | Default | Description | Required |
|---------------------|--------|:----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| `key` | String | "" | Private key (cosign.key) or kms provider, used for signing the attestation (Not required for keyless) | true |
| `github_token` | String | "" | Token to authenticate and read private packages, the token must have read:packages scope | true |
| `identity_token` | String | "" | Identity token used for Cosign keyless authentication | False |
| `image` | String | $IMAGE | The container image to create a attestation for | False |
| `docker_user` | String | github.actor | User to login to container registry | False |
| `repo_name` | String | github.repository | The name of the repo/project | False |
| `repo_sub_dir` | String | "" | Specify a subdirectory if build file not found in working root directory | False |
| `dependencies` | Bool | true | Set to false if action should not create materials for dependencies (e.g. if build tool is unsupported or repo uses internal/private dependencies) | False |
| `token_key_pattern` | String | $GITHUB_TOKEN | If a token is provided but the the key pattern is different from the default key pattern "GITHUB_TOKEN" | False |
| `build_started_on` | String | "event.(type if any).head.commit" | Specify a workflow build start time. Default is set to github_context `event.head_commit` or `event.workflow_run.head_commit` depending on workflow usage | False |
| `mvn_opts` | String | "" | A comma-delimited string with additional maven cli options for the dependence build | False |
| `repo_dir` | String | $GITHUB_WORKSPACE | **Internal value (do not set):** Root of directory to look for build files | False |
| `github_context` | String | ${{ toJSON(github) }} | **Internal value (do not set):** the [github context](#github-context) object in json | False |
| `runner_context` | String | ${{ toJSON(runner) }} | **Internal value (do not set):** the [runner context](#runner-context) object in json | False |

### Outputs

Expand Down
14 changes: 5 additions & 9 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,6 @@ inputs:
required: false
default: ""

docker_pwd:
description: |-
Docker login password.
required: true

dependencies:
description: |-
If salsa should generate materials for the provenance containing dependencies.
Expand All @@ -76,8 +71,10 @@ inputs:

github_token:
description: |-
PAT with at least packages:read scope to install packages associated with other private repositories (which GITHUB_TOKEN can't access).
required: false
Normal use is "GITHUB_TOKEN". To fetch from private repository use
PAT with at least packages:read scope to install packages associated with other private repositories
(which GITHUB_TOKEN can't access).
required: true
default: ""

token_key_pattern:
Expand All @@ -103,7 +100,7 @@ inputs:

runs:
using: 'docker'
image: 'docker://ghcr.io/nais/salsa:v0.5'
image: 'docker://ghcr.io/nais/salsa:v0.6'
args:
- ${{ inputs.repo_dir }}
- ${{ inputs.repo_name }}
Expand All @@ -119,6 +116,5 @@ runs:
- ${{ inputs.docker_user }}
- ${{ inputs.github_token }}
- ${{ inputs.token_key_pattern }}
- ${{ inputs.docker_pwd }}
- ${{ inputs.dependencies }}
- ${{ inputs.build_started_on }}
2 changes: 1 addition & 1 deletion entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ exportCosignEnvironment() {

loginDocker() {
echo "---------- Logging in to Docker registry: $DOCKER_REGISTRY ----------"
echo "$INPUT_DOCKER_PWD" | docker login "$DOCKER_REGISTRY" -u "$GITHUB_ACTOR" --password-stdin
echo "$INPUT_GITHUB_TOKEN" | docker login "$DOCKER_REGISTRY" -u "$GITHUB_ACTOR" --password-stdin
}

logoutDocker() {
Expand Down

0 comments on commit e1cc35b

Please sign in to comment.