slsa-framework · ramonpetgrave64 · Feb 20, 2024 · Feb 23, 2024 · Feb 23, 2024 · Feb 23, 2024
@@ -25,6 +25,8 @@ myjob:
   uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@<tag>
   with:
     subjects: "${{ needs.build.outputs.digest }}"
+  secrets:
+    token: ${{ secrets.my-slsa-gh-token }}
 ```
 
 However, it is not trivial to determine the repository and ref because the

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/
@@ -0,0 +1,53 @@
+{
+  "plugins": ["@typescript-eslint"],
+  "extends": ["plugin:github/recommended"],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": 9,
+    "sourceType": "module",
+    "project": "./tsconfig.json"
+  },
+  "rules": {
+    "i18n-text/no-en": "off",
+    "eslint-comments/no-use": "off",
+    "import/no-namespace": "off",
+    "no-unused-vars": "off",
+    "@typescript-eslint/no-unused-vars": "error",
+    "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+    "@typescript-eslint/no-require-imports": "error",
+    "@typescript-eslint/array-type": "error",
+    "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/ban-ts-comment": "error",
+    "camelcase": "off",
+    "@typescript-eslint/consistent-type-assertions": "error",
+    "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+    "@typescript-eslint/func-call-spacing": ["error", "never"],
+    "@typescript-eslint/no-array-constructor": "error",
+    "@typescript-eslint/no-empty-interface": "error",
+    "@typescript-eslint/no-explicit-any": "error",
+    "@typescript-eslint/no-extraneous-class": "error",
+    "@typescript-eslint/no-for-in-array": "error",
+    "@typescript-eslint/no-inferrable-types": "error",
+    "@typescript-eslint/no-misused-new": "error",
+    "@typescript-eslint/no-namespace": "error",
+    "@typescript-eslint/no-non-null-assertion": "warn",
+    "@typescript-eslint/no-unnecessary-qualifier": "error",
+    "@typescript-eslint/no-unnecessary-type-assertion": "error",
+    "@typescript-eslint/no-useless-constructor": "error",
+    "@typescript-eslint/no-var-requires": "error",
+    "@typescript-eslint/prefer-for-of": "warn",
+    "@typescript-eslint/prefer-function-type": "warn",
+    "@typescript-eslint/prefer-includes": "error",
+    "@typescript-eslint/prefer-string-starts-ends-with": "error",
+    "@typescript-eslint/promise-function-async": "error",
+    "@typescript-eslint/require-array-sort-compare": "error",
+    "@typescript-eslint/restrict-plus-operands": "error",
+    "semi": "off",
+    "@typescript-eslint/type-annotation-spacing": "error",
+    "@typescript-eslint/unbound-method": "error"
+  },
+  "env": {
+    "node": true,
+    "es6": true
+  }
+}
@@ -0,0 +1,99 @@
+# Dependency directory
+node_modules
+
+# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# OS metadata
+.DS_Store
+Thumbs.db
+
+# Ignore built ts files
+__tests__/runner/*
+lib/**/*
@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/
@@ -0,0 +1,68 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SHELL := /bin/bash
+ACTION_NAME = $(shell basename "$$(pwd)")
+
+.PHONY: help
+help: ## Shows all targets and help from the Makefile (this message).
+	@echo "$(ACTION_NAME) Makefile"
+	@echo "Usage: make [COMMAND]"
+	@echo ""
+	@grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = "(:.*?|)## ?"}; { \
+			if (length($$1) > 0) { \
+				printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2; \
+			} else { \
+				if (length($$2) > 0) { \
+					printf "%s\n", $$2; \
+				} \
+			} \
+		}'
+
+node_modules/.installed: package.json package-lock.json
+	npm ci
+	touch node_modules/.installed
+
+.PHONY: action
+action: node_modules/.installed ## Builds the action.
+	npm run build
+
+.PHONY: package
+package: action ## Builds the distribution package.
+	npm run package
+
+.PHONY: clean
+clean:
+	rm -rf dist lib node_modules
+
+## Tools
+#####################################################################
+
+.PHONY: format
+format: node_modules/.installed ## Formats code.
+	npm run format
+
+## Testing
+#####################################################################
+
+.PHONY: unit-test
+unit-test: node_modules/.installed ## Runs all unit tests.
+	# NOTE: Make sure the package builds.
+	npm run build
+	npm run test
+
+.PHONY: lint
+lint: node_modules/.installed ## Runs eslint.
+	npm run lint
@@ -0,0 +1,89 @@
+# ensure-github-hosted-runners-js
+
+Github action runners can be either github-hosted or self-hosted.
+
+`ensure-github-hosted-runners-js` is a Github Action that ensures that no self-hosted 
+runners are used for any adjacent jobs in the workflow.
+
+It does this by comparing the `runs-on` labels in the job specs with the 
+labels of the repository's known self-hosted runner labels.
+
+## Why?
+
+SLSA Build 3 is intends for builds to be performed on trusted build platforms, which
+means only using github-hosted runners.
+
+All of our language-specific builder workflows both build code and produce provenance.
+They are run using Github Reusable Workflows, which we know will always run on github-hoastwed runners.
+Therefore we can trust that both the build artifacts and provenance were produce on
+github-hosted runners.
+
+But our generic workflows do not perform actual builds. Instead they accept the build artifacts
+produced by the the user's own jobs, which the user could specify to run on self-hosted runners.
+
+## Caveats
+
+### Administration:read permissions
+
+This action requires the user to supply their own token with extra permissions, rather than the 
+default token that Github will automatically supply to workflows. We will have our calling workflows
+pass the token along.
+
+1. Create a new Token for your repository, with:
+  1. actions:read
+  2. administration:read
+2. Add the token as a Repository Secret, `my-slsa-gh-token`, for example
+3. Supply token to the action
+
+The generic generator workflows will expect this token when they pass
+along to this action, so you can also use them like
+
+```yaml
+jobs:
+  detect-workflow:
+    runs-on: ubuntu-latest
+      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0@<git hash>
+      secrets:
+        token: ${{ secrets.my-slsa-gh-token }}
+```
+
+### Race conditon
+
+We acknowledge that a malicious repository woner could still workaround this mechanism.
+At the start of a workflow, they could have one Job run with `runs-on: my-vps` that targets one of 
+their self-hosted runbners. Then, after that Job completes, but before the slsa-framework job starts,
+they could use ther github UI to remove that particual `my-vps` label from their self-hosted runner.
+This action would not detect that the first job did actually run on a slef-hosted runners.
+
+### Considered mitigations
+
+#### What about using a list of known github-hosted runner labels?
+
+Github does not publish a difnitive list. But an even greater problem is that the user could assign their
+runner any of Github's common labels. They could label their self-hosted runner with `ubuntu-latest`, for example.
+
+
+#### What about using the Job's runner ID?
+
+Github's List Jobs for Workflow Run also returns the assigned runner IDs for the job. We had considered
+using these IDs against the known self-hsoted runner IDs, but it still does not solve the race codnition problem
+because a user may delete their self-hosted runner before this action executes. And Github does not publish
+a list of github-hosted runner IDs.
+
+TODO: usage docs
+
+## Usage
+
+First create a Token and Secret described [above](#administrationread-permissions)
+
+```yaml
+jobs:
+  detect-workflow:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Detect the repository and ref
+        id: detect
+        uses: slsa-framework/slsa-github-generator/.github/actions/ensure-github-hosted-runners@<git hash>
+        with:
+          token: ${{ secrets.my-slsa-gh-token }}
+```