add the new buildType, TODO: fix verifySystemParameters()

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
ramonpetgrave64 · May 23, 2024 · 91440cf · 91440cf
1 parent f565ec3
commit 91440cf
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/verifiers/internal/gha/slsaprovenance/common/buildtypes.go b/verifiers/internal/gha/slsaprovenance/common/buildtypes.go
@@ -21,6 +21,9 @@ var (
 
 	// NpmCLIBuildTypeV2 is the buildType for provenance generated by the npm cli.
 	NpmCLIBuildTypeV2 = "https://github.com/npm/cli/gha/v2"
+
+	// NpmCLIGithubActionsBuildTypeV1 is the buildType for provenance by the npm cli from GitHub Actions.
+	NpmCLIGithubActionsBuildTypeV1 = "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1"
 )
 
 // Legacy buildTypes.

diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions.go b/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions.go
@@ -0,0 +1,34 @@
+package v1
+
+import (
+	"fmt"
+
+	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+)
+
+// ContainerBasedProvenance is provenance generated by the container-based builder.
+type NpmCLIGithubActionsProvenance struct {
+	*provenanceV1
+}
+
+// TriggerURI implements Provenance.TriggerURI.
+func (p *NpmCLIGithubActionsProvenance) TriggerURI() (string, error) {
+	externalParams, ok := p.prov.Predicate.BuildDefinition.ExternalParameters.(map[string]interface{})
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters type")
+	}
+	workflow, ok := externalParams["workflow"].(map[string]interface{})
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters")
+	}
+	repository, ok := workflow["repository"].(string)
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters: repository")
+	}
+	ref, ok := workflow["ref"].(string)
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters: ref")
+	}
+	uri := fmt.Sprintf("git+%s@%s", repository, ref)
+	return uri, nil
+}
diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go b/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go
@@ -42,11 +42,20 @@ func newContainerBased(a *Attestation) iface.Provenance {
 	}
 }
 
+func newNpmCLIGithubActions(a *Attestation) iface.Provenance {
+	return &NpmCLIGithubActionsProvenance{
+		provenanceV1: &provenanceV1{
+			prov: a,
+		},
+	}
+}
+
 // buildTypeMap is a map of builder IDs to supported buildTypes.
 var buildTypeMap = map[string]map[string]provFunc{
 	common.GenericDelegatorBuilderID:         {common.BYOBBuildTypeV0: newBYOB},
 	common.GenericLowPermsDelegatorBuilderID: {common.BYOBBuildTypeV0: newBYOB},
 	common.ContainerBasedBuilderID:           {common.ContainerBasedBuildTypeV01Draft: newContainerBased},
+	common.NpmCLIHostedBuilderID:             {common.NpmCLIGithubActionsBuildTypeV1: newNpmCLIGithubActions},
 }
 
 // New returns a new Provenance object based on the payload.