Skip to content

Commit

Permalink
Update GHA token permissions for generic container workflow (#1258)
Browse files Browse the repository at this point in the history
Signed-off-by: Ian Lewis <ianlewis@google.com>
  • Loading branch information
ianlewis authored Nov 28, 2022
1 parent d60c716 commit 38f9f24
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 17 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/generator_container_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@

name: SLSA container image provenance

permissions: {}

env:
# Generator
BUILDER_BINARY: slsa-generator-container-linux-amd64 # Name of the binary in the release assets.
Expand Down Expand Up @@ -79,7 +81,6 @@ jobs:
permissions:
id-token: write # Needed to get OIDC token for keyless signing.
actions: read # Needed to read workflow info.
packages: write # Needed to login and upload attestations to ghcr.io.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@main
Expand Down
33 changes: 17 additions & 16 deletions internal/builders/container/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ project simply generates provenance as a separate step in an existing workflow.
- [Generating Provenance](#generating-provenance)
- [Getting Started](#getting-started)
- [Referencing the SLSA generator](#referencing-the-slsa-generator)
- [GitHub Container Registry](#github-container-registry)
- [Private Repositories](#private-repositories)
- [Supported Triggers](#supported-triggers)
- [Workflow Inputs](#workflow-inputs)
Expand Down Expand Up @@ -66,7 +67,6 @@ provenance:
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: startsWith(github.ref, 'refs/tags/')
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Use a tagged release once we have one.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main
Expand All @@ -77,7 +77,7 @@ provenance:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.PAT_TOKEN }}
```
Here's an example of what it might look like all together.
Expand All @@ -92,7 +92,6 @@ jobs:
build:
permissions:
contents: read
packages: write
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build.outputs.digest }}
Expand All @@ -109,7 +108,7 @@ jobs:
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
password: ${{ secrets.PAT_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
id: meta
Expand Down Expand Up @@ -140,7 +139,6 @@ jobs:
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main
with:
Expand All @@ -150,7 +148,7 @@ jobs:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.PAT_TOKEN }}
```
### Referencing the SLSA generator
Expand All @@ -160,6 +158,14 @@ by a tag of the form `@vX.Y.Z`, because the build will fail if you reference it

For more information about this design decision and how to configure renovatebot,see the main repository [README.md](../../../README.md).

### GitHub Container Registry

In order to use the GitHub Container Registry (ghcr.io) you will need to
authenticate using a
[personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
(PAT). The PAT must have at least `packages:write` permissions if using a
classic PAT.

### Private Repositories

Private repositories are supported with some caveats. Currently all builds
Expand Down Expand Up @@ -320,13 +326,13 @@ jobs:

```yaml
steps:
[...]
# [...]
- name: Run ko
id: build
env:
KO_DOCKER_REPO: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}"
KO_USER: ${{ github.actor }}
KO_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
KO_PASSWORD: ${{ secrets.PAT_TOKEN }}
GIT_REF: ${{ github.ref }}
run: |
# get tag name without tags/refs/ prefix.
Expand All @@ -353,8 +359,6 @@ provenance:
permissions:
actions: read
id-token: write
# contents: read
packages: write
if: startsWith(github.ref, 'refs/tags/')
# TODO: Update after GA
# uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.0
Expand All @@ -365,7 +369,7 @@ provenance:
registry-username: ${{ github.actor }}
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.PAT_TOKEN }}
```

All together, it will look as the following:
Expand All @@ -375,7 +379,6 @@ jobs:
build:
permissions:
contents: read
packages: write
outputs:
image: ${{ steps.build.outputs.image }}
digest: ${{ steps.build.outputs.digest }}
Expand All @@ -396,7 +399,7 @@ jobs:
env:
KO_DOCKER_REPO: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}"
KO_USER: ${{ github.actor }}
KO_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
KO_PASSWORD: ${{ secrets.PAT_TOKEN }}
GIT_REF: ${{ github.ref }}
run: |
# get tag name without tags/refs/ prefix.
Expand All @@ -420,8 +423,6 @@ jobs:
permissions:
actions: read
id-token: write
# contents: read
packages: write
if: startsWith(github.ref, 'refs/tags/')
# uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
Expand All @@ -431,7 +432,7 @@ jobs:
registry-username: ${{ github.actor }}
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.PAT_TOKEN }}
```

## Verification
Expand Down

0 comments on commit 38f9f24

Please sign in to comment.