Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

fix(docker_pwd) remove extra input #130

Merged
merged 4 commits into from
Nov 16, 2022
Merged

fix(docker_pwd) remove extra input #130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f9aba9b
fix(docker_pwd) remove extra input
ybelMekk Nov 16, 2022
ee7cace
fix(action) update release info
ybelMekk Nov 16, 2022
89afa57
fix(readme/entrypoint) update doc and use token.
ybelMekk Nov 16, 2022
4c6a1f3
fix(action) set github token to require
ybelMekk Nov 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/keyless-salsa-integration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,6 @@ jobs:
uses: ./
with:
identity_token: ${{ steps.google.outputs.id_token }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
env:
COSIGN_EXPERIMENTAL: "true"
2 changes: 1 addition & 1 deletion .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ on:
- 'Makefile'

env:
VERSION: v0.5
VERSION: v0.6
IMAGE_NAME: ghcr.io/${{ github.repository }}
COSIGN_VERSION: v1.13.1
SYFT_VERSION: v0.44.1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/service-account-salsa-integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
uses: ./
with:
key: ${{ secrets.SALSA_KMS_KEY }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
# For demonstration purpose
- name: Upload provenance
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3
Expand Down
46 changes: 22 additions & 24 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ jobs:
uses: nais/salsa@v0.x
with:
key: ${{ env.KEY }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
```

##### Google Authentication
Expand All @@ -205,7 +205,7 @@ account json key.
`with.key` is the key [URI format](https://github.com/sigstore/cosign/blob/main/KMS.md#gcp) for Google KMS.
Format: `gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION`

`with.docker_pwd` is the GitHub token to authenticate with the registry.
`with.github_token` is the GitHub token to authenticate with the registry.

### Keyless Signatures

Expand Down Expand Up @@ -264,7 +264,7 @@ jobs:
uses: nais/salsa@v0.x
with:
identity_token: ${{ steps.google.outputs.id_token }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
env:
COSIGN_EXPERIMENTAL: "true"
```
Expand Down Expand Up @@ -293,7 +293,7 @@ The described `with` fields is required for `nais salsa`.
`with.identity_token` is the output `identity_token` from the Google Auth Action.
Format: `steps.steps-id.outputs.id_token`

`with.docker_pwd` is the GitHub token to authenticate with the registry. The password is used by `nais salsa` to
`with.github_token` is the GitHub token to authenticate with the registry. The password is used by `nais salsa` to
authenticate with the registry to download the image for Cosign to sign and push attestation to the registry.

`with.env.COSIGN_EXPERIMENTAL` is required to be set to `true` for Cosign to enable keyless signatures.
Expand All @@ -310,12 +310,12 @@ the [cosign docs](https://github.com/sigstore/cosign#specifying-registry)
uses: nais/salsa@v0.x
with:
key: ${{ secrets.SALSA_KMS_KEY }}
docker_pwd: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
env:
COSIGN_REPOSITORY: "registry.io/signatures"
```

Actor must be sure that `with.docker_pwd` has access to the signature repository.
Actor must be sure that `with.github_token` has access to the signature repository.

## Customizing

Expand All @@ -339,7 +339,6 @@ build tool can authenticate with a `PAT`. Use the `with.github_token` field to a
Currently only supports the maven command cli option `-s`, specifying a settings.xml file.

Useful when your project depends on a custom maven settings file or use dependencies from a private repository.

If project depends on dependencies from a private repository, actor need to set GitHub [private token](#access-private-repositories) with proper access right.

```yaml
Expand All @@ -366,23 +365,22 @@ the [Runner context](https://docs.github.com/en/actions/learn-github-actions/con

The Following inputs can be used as `step.with` keys

| Name | Type | Default | Description | Required |
|---------------------|--------|:----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| `docker_pwd` | String | "" | Password for docker | True |
| `key` | String | "" | Private key (cosign.key) or kms provider, used for signing the attestation | False |
| `identity_token` | String | "" | Identity token used for Cosign keyless authentication | False |
| `image` | String | $IMAGE | The container image to create a attestation for | False |
| `docker_user` | String | github.actor | User to login to container registry | False |
| `repo_name` | String | github.repository | The name of the repo/project | False |
| `repo_sub_dir` | String | "" | Specify a subdirectory if build file not found in working root directory | False |
| `dependencies` | Bool | true | Set to false if action should not create materials for dependencies (e.g. if build tool is unsupported or repo uses internal/private dependencies) | False |
| `github_token` | String | "" | Token to authenticate and read private packages, the token must have read:packages scope | False |
| `token_key_pattern` | String | "" | If a token is provided but the the key pattern is different from the default key pattern "GITHUB_TOKEN" | False |
| `build_started_on` | String | "" | Specify a workflow build start time. Default is set to github_context `event.head_commit` or `event.workflow_run.head_commit` depending on workflow usage | False |
| `mvn_opts` | String | "" | A comma-delimited string with additional maven cli options for the dependence build | False |
| `repo_dir` | String | $GITHUB_WORKSPACE | **Internal value (do not set):** Root of directory to look for build files | False |
| `github_context` | String | ${{ toJSON(github) }} | **Internal value (do not set):** the [github context](#github-context) object in json | False |
| `runner_context` | String | ${{ toJSON(runner) }} | **Internal value (do not set):** the [runner context](#runner-context) object in json | False |
| Name | Type | Default | Description | Required |
|---------------------|--------|:----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| `key` | String | "" | Private key (cosign.key) or kms provider, used for signing the attestation (Not required for keyless) | true |
| `github_token` | String | "" | Token to authenticate and read private packages, the token must have read:packages scope | true |
| `identity_token` | String | "" | Identity token used for Cosign keyless authentication | False |
| `image` | String | $IMAGE | The container image to create a attestation for | False |
| `docker_user` | String | github.actor | User to login to container registry | False |
| `repo_name` | String | github.repository | The name of the repo/project | False |
| `repo_sub_dir` | String | "" | Specify a subdirectory if build file not found in working root directory | False |
| `dependencies` | Bool | true | Set to false if action should not create materials for dependencies (e.g. if build tool is unsupported or repo uses internal/private dependencies) | False |
| `token_key_pattern` | String | $GITHUB_TOKEN | If a token is provided but the the key pattern is different from the default key pattern "GITHUB_TOKEN" | False |
| `build_started_on` | String | "event.(type if any).head.commit" | Specify a workflow build start time. Default is set to github_context `event.head_commit` or `event.workflow_run.head_commit` depending on workflow usage | False |
| `mvn_opts` | String | "" | A comma-delimited string with additional maven cli options for the dependence build | False |
| `repo_dir` | String | $GITHUB_WORKSPACE | **Internal value (do not set):** Root of directory to look for build files | False |
| `github_context` | String | ${{ toJSON(github) }} | **Internal value (do not set):** the [github context](#github-context) object in json | False |
| `runner_context` | String | ${{ toJSON(runner) }} | **Internal value (do not set):** the [runner context](#runner-context) object in json | False |

### Outputs

Expand Down
14 changes: 5 additions & 9 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,6 @@ inputs:
required: false
default: ""

docker_pwd:
description: |-
Docker login password.
required: true

dependencies:
description: |-
If salsa should generate materials for the provenance containing dependencies.
Expand All @@ -76,8 +71,10 @@ inputs:

github_token:
description: |-
PAT with at least packages:read scope to install packages associated with other private repositories (which GITHUB_TOKEN can't access).
required: false
Normal use is "GITHUB_TOKEN". To fetch from private repository use
PAT with at least packages:read scope to install packages associated with other private repositories
(which GITHUB_TOKEN can't access).
required: true
default: ""

token_key_pattern:
Expand All @@ -103,7 +100,7 @@ inputs:

runs:
using: 'docker'
image: 'docker://ghcr.io/nais/salsa:v0.5'
image: 'docker://ghcr.io/nais/salsa:v0.6'
args:
- ${{ inputs.repo_dir }}
- ${{ inputs.repo_name }}
Expand All @@ -119,6 +116,5 @@ runs:
- ${{ inputs.docker_user }}
- ${{ inputs.github_token }}
- ${{ inputs.token_key_pattern }}
- ${{ inputs.docker_pwd }}
- ${{ inputs.dependencies }}
- ${{ inputs.build_started_on }}
2 changes: 1 addition & 1 deletion entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ exportCosignEnvironment() {

loginDocker() {
echo "---------- Logging in to Docker registry: $DOCKER_REGISTRY ----------"
echo "$INPUT_DOCKER_PWD" | docker login "$DOCKER_REGISTRY" -u "$GITHUB_ACTOR" --password-stdin
echo "$INPUT_GITHUB_TOKEN" | docker login "$DOCKER_REGISTRY" -u "$GITHUB_ACTOR" --password-stdin
}

logoutDocker() {
Expand Down