Install slsa-provenance instead of using docker image

This to resolve workflows that require docker login

Signed-off-by: Marco Franssen <marco.franssen@philips.com>

.gitignore

@@ -4,3 +4,4 @@ coverage.out
 .DS_Store
 .env
 cosign.key
+.slsa-provenance

Makefile

@@ -117,7 +117,7 @@ gh-release: ## Creates a new release by creating a new tag and pushing it
 	@:$(call check_defined, DESCRIPTION)
 	@git stash -u
 	@echo Bumping $(OLD_VERSION) to $(NEW_VERSION)…
-	@$(SED) -i 's/$(OLD_VERSION)/$(NEW_VERSION)/g' .github/workflows/*.yaml *.yaml *.md
+	@$(SED) -i 's/$(OLD_VERSION)/$(NEW_VERSION)/g' .github/workflows/*.yaml *.yaml *.md *.sh
 	@git add .
 	@git commit -s -m "Bump $(OLD_VERSION) to $(NEW_VERSION) for release"
 	@git tag -sam "$(DESCRIPTION)" $(NEW_VERSION)

action.yaml

@@ -23,15 +23,25 @@ inputs:
   arguments:
     description: 'commandline options for the given subcommand'
     required: true
+  install-dir:
+    description: 'Where to install the slsa-provenance binary'
+    required: false
+    default: '$HOME/.slsa-provenance'
 runs:
   using: 'composite'
   steps:
+    - name: install binary
+      shell: bash
+      run: $GITHUB_ACTION_PATH/install-slsa-provenance.sh
+      env:
+        INSTALL_PATH: ${{ inputs.install-dir }}
+
     - name: compose arguments
       id: compose-args
       shell: bash
       run: |
-        encoded_github="$( echo ${GITHUB_CONTEXT} | base64 -w 0)"
-        encoded_runner="$( echo ${RUNNER_CONTEXT} | base64 -w 0)"
+        encoded_github="$(echo ${GITHUB_CONTEXT} | base64 -w 0)"
+        encoded_runner="$(echo ${RUNNER_CONTEXT} | base64 -w 0)"
 
         args=(${{ inputs.command }})
         args+=(${{ inputs.subcommand }})
@@ -45,11 +55,9 @@ runs:
       env:
         GITHUB_CONTEXT: ${{ inputs.github_context }}
         RUNNER_CONTEXT: ${{ inputs.runner_context }}
-    - name: Debug arguments
+
+    - name: Generate provenance
       shell: bash
-      run: |
-        echo Running slsa-provenance with following arguments
-        echo ${{ steps.compose-args.outputs.provenance_args }}
-    - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.6.0'
-      with:
-        args: ${{ steps.compose-args.outputs.provenance_args }}
+      run: $INSTALL_PATH/slsa-provenance ${{ steps.compose-args.outputs.provenance_args }}
+      env:
+        INSTALL_PATH: ${{ inputs.install-dir }}

install-slsa-provenance.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+set -e
+
+# default to relative path if INSTALL_PATH is not set
+INSTALL_PATH=${INSTALL_PATH:-$(realpath ./.slsa-provenance)}
+
+mkdir -p "${INSTALL_PATH}"
+
+VERSION=v0.6.0
+RELEASE="https://github.com/philips-labs/slsa-provenance-action/releases/download/${VERSION}"
+
+OS=${RUNNER_OS:-linux}
+ARCH=${RUNNER_ARCH:-amd64}
+
+echo "Installing slsa-provenance at ${INSTALL_PATH}/bin"
+
+if [ "${OS}" == "Windows" ] ; then
+  OS=windows
+elif [ "${OS}" == "Linux" ] ; then
+  OS=linux
+fi
+
+if [ "${ARCH}" == "X64" ] ; then
+  ARCH=amd64
+fi
+
+mkdir -p "$INSTALL_PATH"
+
+trap "popd >/dev/null" EXIT
+pushd "$INSTALL_PATH" > /dev/null || exit
+
+echo "Downloading slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz"
+curl -sLo slsa-provenance.tar.gz "$RELEASE/slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz"
+
+if [ -x "$(command -v cosign)" ] ; then
+  echo "Downloading slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz.sig"
+  curl -sLo slsa-provenance.tar.gz.sig "$RELEASE/slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz.sig"
+  echo "Downloading cosign.pub"
+  curl -sLo cosign.pub "$RELEASE/cosign.pub"
+
+  cosign verify-blob --key cosign.pub --signature slsa-provenance.tar.gz.sig slsa-provenance.tar.gz
+  rm slsa-provenance.tar.gz.sig cosign.pub
+else
+  echo >&2
+  echo "  cosign binary not installed in PATH. Unable to verify signature" >&2
+  echo >&2
+fi
+
+tar -xzf slsa-provenance.tar.gz slsa-provenance
+rm slsa-provenance.tar.gz
+
+# for testing purposes fall back to "$INSTALL_PATH/GITHUB_PATH"
+echo "$INSTALL_PATH" >> "${GITHUB_PATH:-"$INSTALL_PATH/GITHUB_PATH"}"