Add provenance store auth parameters

.github/workflows/generator_container_slsa3.yml

@@ -29,11 +29,17 @@ on:
   workflow_call:
     secrets:
       registry-username:
-        description: "Username to log into the container registry. Username must be specific to `cosign-repository` input when set"
+        description: "Username to log into the container registry."
       registry-password:
-        description: "Password to log in the container registry. Password must be specific to `cosign-repository` input when set"
+        description: "Password to log in the container registry."
       image:
         description: "The OCI image name. This must not include a tag or digest."
+      provenance-registry-username:
+        description: "Username when publishing to provenance registry instead of image registry"
+      provenance-registry-password:
+        description: "Password when publishing to provenance registry instead of image registry"
+      provenance-registry:
+        description: "Provenance is pushed to this registry instead of image registry"
     inputs:
       image:
         description: "The OCI image name. This must not include a tag or digest."
@@ -43,7 +49,7 @@ on:
         required: true
         type: string
       registry-username:
-        description: "Username to log into the container registry. Username must be specific to `cosign-repository` input when set"
+        description: "Username to log into the container registry."
         type: string
       compile-generator:
         description: "Build the generator from source. This increases build time by ~2m."
@@ -70,11 +76,14 @@ on:
         required: false
         type: string
         default: ""
-      cosign-repository:
-        description: "If set, provenance attestations will be pushed to external repository instead of image repository"
+      provenance-registry-username:
+          description: "Username when publishing to provenance registry instead of image registry"
+          required: false
+          type: string
+      provenance-registry:
+        description: "Provenance is pushed to this registry instead of image registry"
         required: false
         type: string
-        default: ""
     outputs:
       # Note: we use this output because there is no buildt-in `outcome` and `result` is always `success`
       # if `continue-on-error` is set to `true`.
@@ -200,6 +209,50 @@ jobs:
 
           echo "login to ${untrusted_registry}"
           cosign login "${untrusted_registry}" -u "${username}" -p "${password}"
+      
+      - name: Provenance registry login
+        id: provenance-registry-login
+        continue-on-error: true
+        env:
+          UNTRUSTED_PROVENANCE_REGISTRY: "${{ inputs.provenance-registry  }}"
+          UNTRUSTED_SECRET_PROVENANCE_REGISTRY: "${{ secrets.provenance-registry }}"
+          UNTRUSTED_INPUT_PROVENANCE_USERNAME: "${{ inputs.provenance-registry-username }}"
+          UNTRUSTED_SECRET_PROVENANCE_USERNAME: "${{ secrets.provenance-registry-username }}"
+          UNTRUSTED_PROVENANCE_PASSWORD: "${{ secrets.provenance-password }}"
+          GCP_ACCESS_TOKEN: "${{ steps.auth.outputs.access_token }}"
+        if: ${{ env.UNTRUSTED_SECRET_PROVENANCE_REGISTRY != '' || env.UNTRUSTED_PROVENANCE_REGISTRY != '' }}
+        run: |
+          set -euo pipefail
+
+          # NOTE: Some registries are of the form <org>/<name>
+          # Here we get the first part and check if it has a '.' or ':'
+          # character in it to see if it's a domain name.
+          # See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
+
+          untrusted_provenance_registry="docker.io" 
+          maybe_provenance_domain=$(echo "${UNTRUSTED_SECRET_PROVENANCE_REGISTRY:-${UNTRUSTED_PROVENANCE_REGISTRY}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
+          if [ "${maybe_provenance_domain}" != "" ]; then
+            untrusted_provenance_registry="${maybe_provenance_domain}"
+          fi
+
+          if [ "${GCP_ACCESS_TOKEN}" != "" ]; then
+            username="oauth2accesstoken"
+            password="${GCP_ACCESS_TOKEN}"
+          else
+            username="${UNTRUSTED_SECRET_PROVENANCE_USERNAME:-${UNTRUSTED_INPUT_PROVENANCE_USERNAME}}"
+            if [ "${username}" == "" ]; then
+                echo "provenance-registry username is required." >&2
+                exit 1
+            fi
+            password="${UNTRUSTED_PROVENANCE_PASSWORD}"
+            if [ "${password}" == "" ]; then
+                echo "provenance-registry password is required." >&2
+                exit 1
+            fi
+          fi
+          
+          echo "login to provenance registry: ${untrusted_provenance_registry}"
+          cosign login "${untrusted_provenance_registry}" -u "${username}" -p "${password}"
 
       - name: Create and sign provenance
         id: sign-prov
@@ -209,15 +262,18 @@ jobs:
           UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
           UNTRUSTED_DIGEST: "${{ inputs.digest }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
-          COSIGN_REPOSITORY: "${{ inputs.cosign-repository }}"
+          UNTRUSTED_PROVENANCE_REGISTRY: "${{ inputs.provenance-registry }}"
+          UNTRUSTE_SECRET_PROVENANCE_REGISTRY: "${{ secrets.provenance-registry }}"
         run: |
           set -euo pipefail
 
           # Generate a predicate only.
           predicate_name="predicate.json"
           "$GITHUB_WORKSPACE/$BUILDER_BINARY" generate --predicate="$predicate_name"
 
-          COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
+          COSIGN_EXPERIMENTAL=1 \
+          COSIGN_REPOSITORY="${UNTRUSTED_SECRET_PROVENANCE_REGISTRY:-${UNTRUSTED_PROVENANCE_REGISTRY}}" \
+          cosign attest --predicate="$predicate_name" \
             --type slsaprovenance \
             --yes \
             "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}"