Skip to content

feat(ci): add build provenance attestation #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wilsonianb merged 7 commits into from
Aug 26, 2024
Merged

feat(ci): add build provenance attestation #22

wilsonianb merged 7 commits into from
Aug 26, 2024

Conversation

@wilsonianb
Copy link
Collaborator

@wilsonianb wilsonianb commented Aug 21, 2024

wilsonianb
wilsonianb commented Aug 21, 2024
View reviewed changes
.github/workflows/deploy-worker.yml
workingDirectory: ${{ github.event.inputs.directory }}
command: deploy --no-bundle --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} ${{ steps.get-script.outputs.WORKER_SCRIPT }}

attest:
Copy link
Collaborator Author

@wilsonianb wilsonianb Aug 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making this a separate job creates a second set of webhook events

codius-workers/packages/codius-astro/src/pages/webhooks/github/workflow-job.ts

Line 11 in 84c9cd5

webhooks.on("workflow_job.in_progress", async (data) => {

codius-workers/packages/codius-astro/src/pages/webhooks/github/workflow-job.ts

Line 27 in 84c9cd5

webhooks.on("workflow_job.completed", async (data) => {

wilsonianb
wilsonianb commented Aug 21, 2024
View reviewed changes
.github/workflows/deploy-worker.yml Outdated
Comment on lines 141 to 144
- name: Attest Build Provenance
uses: actions/attest-build-provenance@v1
with:
subject-path: ${{ needs.deploy.outputs.WORKER_SCRIPT }}
Copy link
Collaborator Author

@wilsonianb wilsonianb Aug 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upload bundle (& script/artifact) to r2?
https://github.com/actions/attest-build-provenance?tab=readme-ov-file#outputs

Still not sure how to get the attestation url other than via the the script/artifact digest
https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-attestations
actions/attest-build-provenance#69 (comment)

wilsonianb
wilsonianb commented Aug 22, 2024
View reviewed changes
.github/workflows/deploy-worker.yml
run: |
uri="git+https://github.com/${{ github.event.inputs.repo }}@refs/heads/${{ github.event.inputs.branch }}"
resolved_dependencies=$(jq -n --arg uri "$uri" --arg commit "${{ github.event.inputs.commit }}" '[{"uri": $uri, "digest": {"gitCommit": $commit}}]')
predicate=$(echo '${{ steps.generate-build-provenance-predicate.outputs.predicate }}' | jq -c '.buildDefinition.externalParameters.resolvedDependencies = $resolved_dependencies' --argjson resolved_dependencies "$resolved_dependencies")
Copy link
Collaborator Author

@wilsonianb wilsonianb Aug 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overriding the existing .buildDefinition.resolvedDependencies resulted in

Error: Failed to persist attestation: Invalid Argument - values do not match: git+https://github.com/wilsonianb/php-worker-hello-world@refs/heads/master != git+https://github.com/codius/codius-workers@refs/heads/preview - https://docs.github.com/rest/repos/repos#create-an-attestation

which appears to originate in
https://github.com/actions/toolkit/blob/6c4e082c181a51609197e536ef5255a0c9baeef7/packages/attest/src/store.ts#L28-L42

Specifying the worker's repo in an added resolvedDependencies field under externalParameters appears to work.
However, it isn't displayed in either the GitHub attestation or Rekor entry

It can be found by parsing the attestation file:

jq -r '.dsseEnvelope.payload' codius-codius-workers-attestation-1774723.sigstore.json | base64 -d | jq .

https://slsa.dev/spec/v1.0/provenance#builddefinition

@wilsonianb wilsonianb mentioned this pull request Aug 23, 2024
Open
@wilsonianb
feat(ci): include subdirectory in attestation predicate
5276ac4
@wilsonianb
chore(ci): make formatting consistent
051287e
@wilsonianb
chore(astro): remove githubWorkflowJobId
2796c12 
Report appId in separate workflow job.
Add workflow_run.completed webhook handler.
Add githubWorkflowRunId index in apps table.
@wilsonianb
chore(astro): bump drizzle-orm
59cec53
@wilsonianb wilsonianb marked this pull request as ready for review August 26, 2024 23:04
@wilsonianb wilsonianb merged commit 59cec53 into main Aug 26, 2024
@wilsonianb wilsonianb deleted the provenance branch August 26, 2024 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add build provenance attestation for deployed workers

2 participants

@wilsonianb