Add builderDependencies

Signed-off-by: Mark Lodato <lodato@google.com>
slsa-framework · Nov 7, 2022 · 5aab59b · 5aab59b
1 parent b661ee1
commit 5aab59b
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/docs/provenance/v1.0.cue b/docs/provenance/v1.0.cue
@@ -23,7 +23,8 @@
         "runDetails": {
             "builder": {
                 "id": string,
-                "version": string
+                "version": string,
+                "builderDependencies": [...#ArtifactReference]
             },
             "metadata": {
                 "invocationId": string,

diff --git a/docs/provenance/v1.0.md b/docs/provenance/v1.0.md
@@ -143,13 +143,6 @@ of the other top-level fields, such as `subject`, see [Statement]._
                     "digest": {
                         "sha1": "15bf79ea9c89fffbf5dd02c6b5b686b291bfcbd2"
                     }
-                },
-                // The binary that runs under the reusable workflow.
-                // TODO: is this actually a top-level input, or is this really
-                // the `builder.id` and a `resolvedDependencies`?
-                "builderBinary": {
-                    "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/tags/v1.2.0",
-                    "digest": { "sha1": "bdd89e60dc5387d8f819bebc702987956bcd4913" }
                 }
             },
             "entryPoint": ".github/workflow/release.yml",
@@ -174,7 +167,15 @@ of the other top-level fields, such as `subject`, see [Statement]._
     "runDetails": {
         "builder": {
             "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v0.0.1",
-            version: "<commit-id>"  // TODO: supply a real example value here
+            version: "<commit-id>",  // TODO: supply a real example value here
+            "builderDependencies": [
+                {
+                    // TODO: Do we need a field to differentiate this from other
+                    // deps, e.g localName or something else?
+                    "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/tags/v1.2.0",
+                    "digest": { "sha1": "bdd89e60dc5387d8f819bebc702987956bcd4913" }
+                }
+            ]
         },
         "metadata": {
             // TODO: supply real example values here
@@ -280,6 +281,7 @@ meaning of each field is unchanged unless otherwise noted.
         "builder": {
             "id": old.builder.id,
             "version": null  // not in v0.2
+            "builderDependencies": null // not in v0.2
         },
         "metadata": {
             "invocationId": old.metadata.buildInvocationId,
@@ -319,7 +321,7 @@ changed slightly.
     input artifacts to be specified.
 -   Moved `entryPoint` out of `buildConfig` so that all artifact references
     share a common schema.
--   Added `builder.version`.
+-   Added `builder.version` and `builder.builderDependencies`.
 -   Added `byproducts`.
 -   Removed `buildConfig`; can use `inputArtifacts.config` or `byproducts`
     instead.

diff --git a/docs/provenance/v1.0.proto b/docs/provenance/v1.0.proto
@@ -218,6 +218,12 @@ message Builder {
 
   // TODO: Do we want to add this field? (#319)
   string version = 2;
+
+  // Dependencies used by the orchestrator that are not run within the workload
+  // and that should not affect the build, but may affect the provenance
+  // generation or security guarantees.
+  // TODO: Flesh out this model more.
+  repeated ArtifactReference builderDependencies = 3;
 }
 
 message BuildMetadata {