Skip to content

Commit

Permalink
fix typos
Browse files Browse the repository at this point in the history 
Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
  • Loading branch information
@saisatishkarra
saisatishkarra committed Nov 16, 2023
1 parent 5c0b0e7 commit 529b570
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 18 deletions.
33 changes: 18 additions & 15 deletions .github/workflows/generator_container_slsa3.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,18 +28,18 @@ defaults:
on:
workflow_call:
secrets:
# Note: "This should only be used for high entropy values such as AWS Access Key.
# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#workflow-inputs" for more information.
# Note: This should only be used for high entropy values such as AWS Access Key.
# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#workflow-inputs for more information.
registry-username:
description: "Username to log into the container registry."
registry-password:
description: "Password to log in the container registry."
image:
description: "The OCI image name. This must not include a tag or digest."
# Note: "This should only be used for high entropy values such as AWS Access Key.
# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#workflow-inputs" for more information.
# Note: This should only be used for high entropy values such as AWS Access Key.
# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#workflow-inputs for more information.
provenance-registry-username:
description: "Username when publishing to provenance registry instead of image registry."
description: "Username when publishing to provenance registry (option 'provenance-registry') instead of image registry."
provenance-registry-password:
description: "Password when publishing to provenance registry instead of image registry."
inputs:
Expand Down Expand Up @@ -79,11 +79,11 @@ on:
type: string
default: ""
provenance-registry-username:
description: "Username when publishing to provenance registry (option 'prove') instead of image registry."
description: "Username when publishing to provenance registry (option 'provenance-registry') instead of image registry."
required: false
type: string
provenance-registry:
description: "If set, Provenance is pushed to this registry instead of image registry."
description: "If set, provenance is pushed to this registry instead of image registry."
required: false
type: string
outputs:
Expand Down Expand Up @@ -223,7 +223,7 @@ jobs:
UNTRUSTED_PROVENANCE_REGISTRY: "${{ inputs.provenance-registry }}"
UNTRUSTED_INPUT_PROVENANCE_USERNAME: "${{ inputs.provenance-registry-username }}"
UNTRUSTED_SECRET_PROVENANCE_USERNAME: "${{ secrets.provenance-registry-username }}"
UNTRUSTED_PROVENANCE_PASSWORD: "${{ secrets.provenance-password }}"
UNTRUSTED_PROVENANCE_PASSWORD: "${{ secrets.provenance-registry-password }}"
GCP_ACCESS_TOKEN: "${{ steps.auth.outputs.access_token }}"
if: ${{ env.UNTRUSTED_PROVENANCE_REGISTRY != '' }}
run: |
Expand All @@ -234,10 +234,10 @@ jobs:
# character in it to see if it's a domain name.
# See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
untrusted_provenance_registry="docker.io"
untrusted_provenance_domain="docker.io"
maybe_provenance_domain=$(echo "${UNTRUSTED_PROVENANCE_REGISTRY}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
if [ "${maybe_provenance_domain}" != "" ]; then
untrusted_provenance_registry="${maybe_provenance_domain}"
untrusted_provenance_domain="${maybe_provenance_domain}"
fi
if [ "${GCP_ACCESS_TOKEN}" != "" ]; then
Expand All @@ -246,18 +246,18 @@ jobs:
else
username="${UNTRUSTED_SECRET_PROVENANCE_USERNAME:-${UNTRUSTED_INPUT_PROVENANCE_USERNAME}}"
if [ "${username}" == "" ]; then
echo "provenance-registry username is required." >&2
echo "provenance-registry-username is required." >&2
exit 1
fi
password="${UNTRUSTED_PROVENANCE_PASSWORD}"
if [ "${password}" == "" ]; then
echo "provenance-registry password is required." >&2
echo "provenance-registry-password is required." >&2
exit 1
fi
fi
echo "login to provenance registry: ${untrusted_provenance_registry}"
cosign login "${untrusted_provenance_registry}" -u "${username}" -p "${password}"
echo "login to provenance registry: ${untrusted_provenance_domain}"
cosign login "${untrusted_provenance_domain}" -u "${username}" -p "${password}"
- name: Create and sign provenance
id: sign-prov
Expand All @@ -275,8 +275,11 @@ jobs:
predicate_name="predicate.json"
"$GITHUB_WORKSPACE/$BUILDER_BINARY" generate --predicate="$predicate_name"
if [[ ! -z "${UNTRUSTED_PROVENANCE_REGISTRY}" ]]; then
export COSIGN_REPOSITORY="${UNTRUSTED_PROVENANCE_REGISTRY}"
fi
COSIGN_EXPERIMENTAL=1 \
COSIGN_REPOSITORY="${UNTRUSTED_PROVENANCE_REGISTRY}" \
cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
--yes \
Expand Down
6 changes: 3 additions & 3 deletions internal/builders/container/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,8 +214,8 @@ Inputs:
| `continue-on-error` | Set to true to ignore errors. This option is useful if you won't want a failure to fail your entire workflow.<br>Default: `false` |
| `gcp-workload-identity-provider` | The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name. If provided, this must be the full identifier which includes all parts:<br>`projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider` |
| `gcp-service-account` | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:<br>`my-service-account@my-project.iam.gserviceaccount.com` |
| `provenance-registry-username` | Username when publishing to provenance registry (option 'prove') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. |
| `provenance-registry` | If set, Provenance is pushed to this registry instead of image registry. |
| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. |
| `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. |

Secrets:

Expand All @@ -224,7 +224,7 @@ Secrets:
| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. Should be used in scenarios when the image name contains secret values, and therefore can't be provided directly. Use case - an undisclosed private registry use. |
| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the `registry-username` input instead. |
| `registry-password` | **(Required)** Password to log in the container registry. |
| `provenance-registry-username` | Username when publishing to provenance registry (option 'prove') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the registry-username input instead. |
| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the registry-username input instead. |
| `provenance-registry-password` | Password when publishing to provenance registry instead of image registry. |

### Workflow Outputs
Expand Down

0 comments on commit 529b570

Please sign in to comment.