Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: checkout uses the wrong repository #1113

Merged
merged 5 commits into from
Oct 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions .github/workflows/builder_go_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check private repos
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@a3c7a56c8749c2c423f01bbcfd063315efc07a22
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@main
with:
error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override."
override: ${{ inputs.private-repository }}
Expand All @@ -85,7 +85,7 @@ jobs:
steps:
- name: Generate random 16-byte value (32-char hex encoded)
id: rng
uses: slsa-framework/slsa-github-generator/.github/actions/rng@e3220805577deb9d193f64e519abcb3b50851df5
uses: slsa-framework/slsa-github-generator/.github/actions/rng@main

detect-env:
outputs:
Expand All @@ -97,7 +97,7 @@ jobs:
steps:
- name: Detect the builder ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@efb47d340c150ce456bf8bd554a131ac53b10ccd # tag=v1.2.0
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@main # tag=v1.2.0

###################################################################
# #
Expand All @@ -112,7 +112,7 @@ jobs:
steps:
- name: Generate builder binary
id: generate
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -142,10 +142,10 @@ jobs:
go-env: ${{ steps.build-dry.outputs.go-env }}
go-working-dir: ${{ steps.build-dry.outputs.go-working-dir }}
runs-on: ubuntu-latest
needs: [privacy-check, builder, rng]
needs: [privacy-check, builder, rng, detect-env]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -188,10 +188,10 @@ jobs:
outputs:
go-binary-sha256: ${{ steps.upload.outputs.sha256 }}
runs-on: ubuntu-latest
needs: [privacy-check, builder, build-dry, rng]
needs: [privacy-check, builder, build-dry, rng, detect-env]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -262,7 +262,7 @@ jobs:
###################################################################
provenance:
runs-on: ubuntu-latest
needs: [builder, build, build-dry, rng]
needs: [builder, build, build-dry, rng, detect-env]
permissions:
id-token: write # Needed to create an OIDC token for keyless signing.
contents: read
Expand All @@ -272,7 +272,7 @@ jobs:
go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -326,11 +326,11 @@ jobs:
permissions:
contents: write # Needed to write artifacts to a release.
runs-on: ubuntu-latest
needs: [build-dry, build, provenance]
needs: [build-dry, build, provenance, detect-env]
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/builder_node_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check private repos
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@a3c7a56c8749c2c423f01bbcfd063315efc07a22
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@main
with:
error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override."
override: ${{ inputs.private-repository }}
Expand All @@ -145,7 +145,7 @@ jobs:
steps:
- name: Generate random 16-byte value (32-char hex encoded)
id: rng
uses: slsa-framework/slsa-github-generator/.github/actions/rng@e3220805577deb9d193f64e519abcb3b50851df5
uses: slsa-framework/slsa-github-generator/.github/actions/rng@main

detect-env:
outputs:
Expand All @@ -157,7 +157,7 @@ jobs:
steps:
- name: Detect the builder ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@efb47d340c150ce456bf8bd554a131ac53b10ccd # tag=v1.2.0
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@main # tag=v1.2.0

###################################################################
# #
Expand All @@ -172,7 +172,7 @@ jobs:
steps:
- name: Generate builder
id: generate
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -200,10 +200,10 @@ jobs:
node-tarball-sha256: ${{ steps.upload.outputs.sha256 }}
node-tarball-name: ${{ steps.tarball.outputs.filename }}
runs-on: ubuntu-latest
needs: [privacy-check, builder, rng]
needs: [privacy-check, builder, rng, detect-env]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -292,7 +292,7 @@ jobs:
###################################################################
provenance:
runs-on: ubuntu-latest
needs: [builder, build, rng]
needs: [builder, build, rng, detect-env]
permissions:
id-token: write # Needed to create an OIDC token for keyless signing.
contents: read
Expand All @@ -302,7 +302,7 @@ jobs:
node-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -356,10 +356,10 @@ jobs:
###################################################################
publish:
runs-on: ubuntu-latest
needs: [build, provenance]
needs: [build, provenance, detect-env]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/generator_container_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check private repos
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@a3c7a56c8749c2c423f01bbcfd063315efc07a22
uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@main
with:
error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override."
override: ${{ inputs.private-repository }}
Expand All @@ -71,7 +71,7 @@ jobs:
steps:
- name: Detect the generator ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@efb47d340c150ce456bf8bd554a131ac53b10ccd
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@main

# generator builds the generator binary and runs it to generate SLSA
# provenance.
Expand All @@ -91,7 +91,7 @@ jobs:
packages: write # Needed to login and upload attestations to ghcr.io.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/generator_generic_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ jobs:
outputs:
release-id: ${{ steps.release.outputs.id }}
runs-on: ubuntu-latest
needs: [generator]
needs: [generator, detect-env]
permissions:
contents: write # Needed to write artifacts to a release.
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
Expand Down
27 changes: 25 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,39 @@ name: Builders realeaser
on:
# For manual tests.
workflow_dispatch:
inputs:
release-tag:
description: 'Release tag to test'
required: true
type: string
push:
tags:
- "*" # triggers only if push new tag version, like `0.8.4` or else

permissions: read-all

jobs:
# Pre-release reference verification.
pre-release-refs:
name: pre release refs verification
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
- name: manual release ref
env:
RELEASE_TAG: "${{ inputs.release-tag }}"
if: github.ref_type != 'tag'
run: ./.github/workflows/scripts/pre-release/references.sh

- name: new tag release ref
env:
RELEASE_TAG: "${{ github.ref_name }}"
if: github.ref_type == 'tag'
run: ./.github/workflows/scripts/pre-release/references.sh

# Generic generator.
generic-generator:
needs: [pre-release-refs]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
Expand All @@ -24,8 +48,7 @@ jobs:

# Go builder.
go-builder:
# Force the builds to rin sequentially, to avoid
# the builder binaries being overwritten by each run.
needs: [pre-release-refs]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
Expand Down
19 changes: 19 additions & 0 deletions .github/workflows/scripts/pre-release/references.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash

# Verify that Action calls that are pinned (not locally called)
# use the same referemnce as the relealse tag.
# See reasoning in ./github/actions/README.md

set -euo pipefail

results=$(
find .github/workflows/ -name '*.yaml' -o -name '*.yml' \
| xargs grep -P "slsa-framework/slsa-github-generator/.github/actions/.*@(?!$RELEASE_TAG)" \
|| true
)
if [[ "$results" != "" ]]; then
echo "Some Actions are not referenced via the correct release tag \"$RELEASE_TAG\""
echo "$results"
exit 1
fi

6 changes: 5 additions & 1 deletion RELEASE.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,11 @@ $ export GH=/path/to/gh

## Pre-release tests

Needless to say, only think about a release when all the e2e tests in [github.com/slsa-framework/example-package/.github/workflows/](github.com/slsa-framework/example-package/.github/workflows/) are passing. (They run daily).
Verify the references to the internal Actions by manually running the [release workflow](https://github.com/slsa-framework/slsa-github-generator/actions/workflows/release.yml). Ensure this workflow succeeds.

Code freeze the repository for 1-2 days.

Verify all the e2e tests in [github.com/slsa-framework/example-package/.github/workflows/](github.com/slsa-framework/example-package/.github/workflows/) are passing. (They run daily).

There is one integration test we cannot easily test "live", so we need to simulate it by changing the code: malicious verifier binary in assets. We want to be sure the builder fails if the verifier's binary is tampered with. For this:

Expand Down