-
Notifications
You must be signed in to change notification settings - Fork 115
144 lines (132 loc) · 5.65 KB
/
generator_container_slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Copyright 2022 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: SLSA container image provenance
env:
# Generator
BUILDER_BINARY: slsa-generator-generic-linux-amd64 # Name of the binary in the release assets.
BUILDER_DIR: internal/builders/generic # Source directory if we compile the builder.
on:
workflow_call:
secrets:
registry-password:
description: "Password to log in the container registry."
required: true
inputs:
image:
description: "The OCI image name. This must not include a tag or digest."
required: true
type: string
digest:
description: "The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')"
required: true
type: string
registry-username:
description: "Username to log into the container registry."
required: true
type: string
compile-generator:
description: "Build the generator from source. This increases build time by ~2m."
required: false
type: boolean
default: false
private-repository:
description: "If true, private repositories can post to the public transparency log."
required: false
type: boolean
default: false
jobs:
privacy-check:
runs-on: ubuntu-latest
steps:
- name: Check private repos
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@a3c7a56c8749c2c423f01bbcfd063315efc07a22
with:
error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override."
override: ${{ inputs.private-repository }}
# detect-env detects the reusable workflow's repository and ref for use later
# in the workflow.
detect-env:
outputs:
repository: ${{ steps.detect.outputs.repository }}
ref: ${{ steps.detect.outputs.ref }}
runs-on: ubuntu-latest
permissions:
id-token: write # Needed to detect the current reusable repository and ref.
steps:
- name: Detect the generator ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@e3220805577deb9d193f64e519abcb3b50851df5
# generator builds the generator binary and runs it to generate SLSA
# provenance.
#
# If `compile-generator` is true then the generator is compiled
# from source at the ref detected by `detect-env`.
#
# If `compile-generator` is false, then the generator binary is downloaded
# with the release at the ref detected by `detect-env`. This must be a tag
# reference.
generator:
runs-on: ubuntu-latest
needs: [privacy-check, detect-env]
permissions:
id-token: write # Needed to get OIDC token for keyless signing.
actions: read # Needed to read workflow info.
packages: write # Needed to login and upload attestations to ghcr.io.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@e3220805577deb9d193f64e519abcb3b50851df5
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
go-version: 1.18
binary: "${{ env.BUILDER_BINARY }}"
compile-builder: "${{ inputs.compile-generator }}"
# NOTE: We are using the generic generator.
directory: "${{ env.BUILDER_DIR }}"
- uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 # tag=v2.6.0
- name: Login
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_USERNAME: "${{ inputs.registry-username }}"
UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
run: |
set -euo pipefail
# NOTE: Some docker images are of the form <org>/<name>
# Here we get the first part and check if it has a '.' or ':'
# character in it to see if it's a domain name.
# See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
untrusted_registry="docker.io"
# NOTE: Do not fail the script if grep does not match.
maybe_domain=$(echo "$UNTRUSTED_IMAGE" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
if [ "$maybe_domain" != "" ]; then
untrusted_registry="$maybe_domain"
fi
echo "login to $untrusted_registry"
cosign login "$untrusted_registry" -u "$UNTRUSTED_USERNAME" -p "$UNTRUSTED_PASSWORD"
- name: Create and sign provenance
id: sign-prov
shell: bash
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_DIGEST: "${{ inputs.digest }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
run: |
set -euo pipefail
# Generate a predicate only.
predicate_name="predicate.json"
./"$BUILDER_BINARY" generate --predicate="$predicate_name"
COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
--force \
"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"