From 10c44b61f2dcac1620b1725f3cafe20073f4d07d Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 9 Nov 2021 17:01:32 +0100 Subject: [PATCH] Move recipe.type one level up as buildType Signed-off-by: Marco Franssen --- lib/github/github.go | 4 ++-- lib/github/provenance.go | 2 +- lib/github/provenance_test.go | 3 ++- lib/intoto/intoto.go | 6 +++--- lib/intoto/intoto_test.go | 6 +++--- 5 files changed, 11 insertions(+), 10 deletions(-) diff --git a/lib/github/github.go b/lib/github/github.go index c695599e..ca5146cd 100644 --- a/lib/github/github.go +++ b/lib/github/github.go @@ -10,8 +10,8 @@ const ( HostedIDSuffix = "/Attestations/GitHubHostedActions@v1" // SelfHostedIDSuffix the GitHub self hosted attestation type SelfHostedIDSuffix = "/Attestations/SelfHostedActions@v1" - // RecipeType the attestion type for a recipe - RecipeType = "https://github.com/Attestations/GitHubActionsWorkflow@v1" + // BuildType URI indicating what type of build was performed. It determines the meaning of invocation, buildConfig and materials. + BuildType = "https://github.com/Attestations/GitHubActionsWorkflow@v1" // PayloadContentType used to define the Envelope content type // See: https://github.com/in-toto/attestation#provenance-example PayloadContentType = "application/vnd.in-toto+json" diff --git a/lib/github/provenance.go b/lib/github/provenance.go index 0f4319ae..b769edc1 100644 --- a/lib/github/provenance.go +++ b/lib/github/provenance.go @@ -39,7 +39,7 @@ func (e *Environment) GenerateProvenanceStatement(ctx context.Context, artifactP // NOTE: This is inexact as multiple workflows in a repo can have the same name. // See https://github.com/github/feedback/discussions/4188 intoto.WithInvocation( - RecipeType, + BuildType, e.Context.Workflow, nil, event.Inputs, diff --git a/lib/github/provenance_test.go b/lib/github/provenance_test.go index 6e65a17a..34f6532c 100644 --- a/lib/github/provenance_test.go +++ b/lib/github/provenance_test.go @@ -271,6 +271,7 @@ func TestGenerateProvenance(t *testing.T) { assert.Equal(intoto.StatementType, stmt.Type) predicate := stmt.Predicate + assert.Equal(github.BuildType, predicate.BuildType) assert.Equal(fmt.Sprintf("%s%s", repoURL, github.HostedIDSuffix), predicate.ID) assert.Equal(materials, predicate.Materials) assert.Equal(fmt.Sprintf("%s%s", repoURL, github.HostedIDSuffix), predicate.Builder.ID) @@ -351,6 +352,7 @@ func TestGenerateProvenanceFromGitHubRelease(t *testing.T) { assert.Equal(fmt.Sprintf("%s%s", repoURL, github.HostedIDSuffix), predicate.ID) assert.Equal(materials, predicate.Materials) assert.Equal(fmt.Sprintf("%s%s", repoURL, github.HostedIDSuffix), predicate.Builder.ID) + assert.Equal(github.BuildType, predicate.BuildType) assertMetadata(assert, predicate.Metadata, ghContext, repoURL) assertInvocation(assert, predicate.Invocation) @@ -394,7 +396,6 @@ func TestGenerateProvenanceFromGitHubReleaseErrors(t *testing.T) { } func assertInvocation(assert *assert.Assertions, recipe intoto.Invocation) { - assert.Equal(github.RecipeType, recipe.Type) assert.Equal(0, recipe.DefinedInMaterial) assert.Equal("", recipe.EntryPoint) assert.Nil(recipe.Environment) diff --git a/lib/intoto/intoto.go b/lib/intoto/intoto.go index 23adbdb3..9b1641ed 100644 --- a/lib/intoto/intoto.go +++ b/lib/intoto/intoto.go @@ -69,10 +69,10 @@ func WithMetadata(buildInvocationID string) StatementOption { } // WithInvocation sets the Predicate Invocation and Materials -func WithInvocation(predicateType string, entryPoint string, environment json.RawMessage, arguments json.RawMessage, materials []Item) StatementOption { +func WithInvocation(buildType, entryPoint string, environment json.RawMessage, arguments json.RawMessage, materials []Item) StatementOption { return func(s *Statement) { + s.Predicate.BuildType = buildType s.Predicate.Invocation = Invocation{ - Type: predicateType, EntryPoint: entryPoint, Arguments: arguments, // Subject to change and simplify https://github.com/slsa-framework/slsa/issues/178 @@ -109,6 +109,7 @@ type Subject struct { // A predicate has a required predicateType (TypeURI) identifying what the predicate means, plus an optional predicate (object) containing additional, type-dependent parameters. type Predicate struct { Builder `json:"builder"` + BuildType string `json:"buildType"` Metadata `json:"metadata"` Invocation `json:"invocation"` Materials []Item `json:"materials"` @@ -135,7 +136,6 @@ type Metadata struct { // Invocation Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). type Invocation struct { - Type string `json:"type"` DefinedInMaterial int `json:"definedInMaterial"` EntryPoint string `json:"entryPoint"` Arguments json.RawMessage `json:"arguments"` diff --git a/lib/intoto/intoto_test.go b/lib/intoto/intoto_test.go index f83212b4..849c10b1 100644 --- a/lib/intoto/intoto_test.go +++ b/lib/intoto/intoto_test.go @@ -13,7 +13,7 @@ func TestSLSAProvenanceStatement(t *testing.T) { repoURI := "https://github.com/philips-labs/slsa-provenance-action" builderID := repoURI + "/Attestations/GitHubHostedActions@v1" buildInvocationID := repoURI + "/actions/runs/123498765" - recipeType := "https://github.com/Attestations/GitHubActionsWorkflow@v1" + buildType := "https://github.com/Attestations/GitHubActionsWorkflow@v1" stmt := SLSAProvenanceStatement() assert.Equal(SlsaPredicateType, stmt.PredicateType) @@ -63,7 +63,7 @@ func TestSLSAProvenanceStatement(t *testing.T) { WithSubject(make([]Subject, 1)), WithBuilder(builderID), WithInvocation( - recipeType, + buildType, "CI workflow", nil, nil, @@ -75,7 +75,7 @@ func TestSLSAProvenanceStatement(t *testing.T) { assert.Equal(StatementType, stmt.Type) assert.Len(stmt.Subject, 1) assert.Equal(builderID, stmt.Predicate.Builder.ID) - assert.Equal(recipeType, i.Type) + assert.Equal(buildType, stmt.Predicate.BuildType) assert.Equal("CI workflow", i.EntryPoint) assert.Nil(i.Arguments) assert.Equal(0, i.DefinedInMaterial)