From a5df2854a3ef16f67ce0fd3cf48ced0f4fe1ca31 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 1 Jul 2022 03:33:50 +0000 Subject: [PATCH 01/24] Add a generic container workflow --- .../workflows/generator_container_slsa3.yml | 163 ++++++++++++++++++ internal/builders/generic/attest.go | 13 +- 2 files changed, 172 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/generator_container_slsa3.yml diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml new file mode 100644 index 0000000000..e45d4cf8b4 --- /dev/null +++ b/.github/workflows/generator_container_slsa3.yml @@ -0,0 +1,163 @@ +# Copyright 2022 SLSA Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: SLSA container image provenance + +permissions: + contents: read + +env: + # Generator + BUILDER_BINARY: generic-generator + BUILDER_RELEASE_BINARY: slsa-generator-generic-linux-amd64 + BUILDER_REPOSITORY: slsa-framework/slsa-github-generator + # Verifier + # NOTE: These VERIFIER_* variables are used for verification of generator + # release binaries when the compile-generator input is false. + VERIFIER_REPOSITORY: slsa-framework/slsa-verifier + VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 + VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21 + VERIFIER_RELEASE: v1.1.1 + +on: + workflow_call: + secrets: + registry-password: + description: "Password to log in the container registry." + required: false # NOTE: This is actually required right now. + inputs: + image: + description: "The OCI image name." + required: true + type: string + registry-user: + description: "Username to log into the container registry." + required: false # NOTE: This is actually required right now. + type: string + # FIXME: support not uploading to registry. + # upload-to-registry: + # description: "If true the provenance is pushed to the container registry." + # required: false + # type: boolean + # default: true + compile-generator: + description: "Build the generator from source. This increases build time by ~2m." + required: false + type: boolean + default: false + outputs: + attestation-name: + description: "The artifact name of the signed provenance" + value: ${{ jobs.generator.outputs.attestation-name }} + +jobs: + # detect-env detects the reusable workflow's repository and ref for use later + # in the workflow. + detect-env: + outputs: + repository: ${{ steps.detect.outputs.repository }} + ref: ${{ steps.detect.outputs.ref }} + runs-on: ubuntu-latest + permissions: + id-token: write # Needed to detect the current reusable repository and ref. + steps: + - name: Detect the generator ref + id: detect + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@d995948e8d53cc639c0d3ef69db31dbc243519c4 # v1.1.1 + + # generator builds the generator binary and runs it to generate SLSA + # provenance. + # + # If `compile-generator` is true then the generator is compiled + # from source at the ref detected by `detect-env`. + # + # If `compile-generator` is false, then the generator binary is downloaded + # with the release at the ref detected by `detect-env`. This must be a tag + # reference. + generator: + outputs: + attestation-name: ${{ steps.sign-prov.outputs.attestation-name }} + attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }} + runs-on: ubuntu-latest + needs: [detect-env] + permissions: + id-token: write # Needed for keyless. + contents: read + # actions permissions are needed to read info on the workflow and + # workflow run. + actions: read + packages: write + steps: + - name: Generate builder + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@1b4ebe8029b40670c71aae9b9c88be486beb6b49 + with: + repository: "${{ needs.detect-env.outputs.repository }}" + ref: "${{ needs.detect-env.outputs.ref }}" + go-version: 1.18 + binary: "${{ env.BUILDER_BINARY }}" + compile-builder: "${{ inputs.compile-generator }}" + directory: "${{ env.BUILDER_DIR }}/generic" + + # Note: here we need packages permissions + - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 # v2.4.0 + - name: Login + env: + UNTRUSTED_IMAGE: "${{ inputs.image }}" + UNTRUSTED_USERNAME: "${{ inputs.registry-username }}" + UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}" + run: | + set -euo pipefail + + untrusted_registry="docker.io" + + # HACK: Need to figure out a better way to do this. + maybe_domain=$(echo "$UNTRUSTED_IMAGE" | cut -f1 -d "/" | grep "\.") + if [ "$maybe_domain" != "" ]; then + untrusted_registry="$maybe_domain" + fi + + echo "login to $untrusted_registry" + cosign login "$untrusted_registry" -u "$UNTRUSTED_USERNAME" -p "$UNTRUSTED_PASSWORD" + + - name: Create and sign provenance + id: sign-prov + shell: bash + # NOTE: Inputs and github context are set to environment variables in + # order to avoid script injection. + # See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections + env: + UNTRUSTED_IMAGE: "${{ inputs.image }}" + GITHUB_CONTEXT: "${{ toJSON(github) }}" + run: | + set -euo pipefail + + # Generate a predicate only. + attestation_name="attestation.intoto.jsonl" + predicate_name="predicate.json" + ./"$BUILDER_BINARY" attest -g="" --predicate="$predicate_name" + + # TODO: Set --no-upload if inputs.upload-to-registry is false. + COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \ + --type slsaprovenance \ + --force \ + "$UNTRUSTED_IMAGE" >"$attestation_name" + echo "::set-output name=attestation-name::$attestation_name" + + - name: Upload the signed provenance + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: "${{ steps.sign-prov.outputs.attestation-name }}" + path: "${{ steps.sign-prov.outputs.attestation-name }}" + if-no-files-found: error + retention-days: 5 diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go index 12845d4154..8e4762bc59 100644 --- a/internal/builders/generic/attest.go +++ b/internal/builders/generic/attest.go @@ -158,11 +158,16 @@ run in the context of a Github Actions workflow.`, ghContext, err := github.GetWorkflowContext() check(err) - parsedSubjects, err := parseSubjects(subjects) - check(err) + var parsedSubjects []intoto.Subject + // We don't actually care about the subjects if we aren't writing an attestation. + if attPath != "" { + var err error + parsedSubjects, err = parseSubjects(subjects) + check(err) - if len(parsedSubjects) == 0 { - check(errors.New("expected at least one subject")) + if len(parsedSubjects) == 0 { + check(errors.New("expected at least one subject")) + } } ctx := context.Background() From 212feb7e9d0087398a8578279355a6b81428e87d Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 1 Jul 2022 04:11:14 +0000 Subject: [PATCH 02/24] fix input --- .github/workflows/generator_container_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index e45d4cf8b4..0da09e4303 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -41,7 +41,7 @@ on: description: "The OCI image name." required: true type: string - registry-user: + registry-username: description: "Username to log into the container registry." required: false # NOTE: This is actually required right now. type: string From 4821dc220a87770701a14c00c9cfee21f8a67152 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 1 Jul 2022 05:27:32 +0000 Subject: [PATCH 03/24] update hashes --- .github/workflows/generator_container_slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 0da09e4303..2204e98fca 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -74,7 +74,7 @@ jobs: steps: - name: Detect the generator ref id: detect - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@d995948e8d53cc639c0d3ef69db31dbc243519c4 # v1.1.1 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@49e648aa7f5f4f88513b6cd54f6b189516184e6b # generator builds the generator binary and runs it to generate SLSA # provenance. @@ -100,7 +100,7 @@ jobs: packages: write steps: - name: Generate builder - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@1b4ebe8029b40670c71aae9b9c88be486beb6b49 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@49e648aa7f5f4f88513b6cd54f6b189516184e6b with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" From e6a8759f320ef6873f0744116ac30eb08863947e Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 1 Jul 2022 05:47:28 +0000 Subject: [PATCH 04/24] Avoid OIDC client creation errors on PRs --- .github/actions/detect-workflow/main.go | 26 ++++++++++---------- .github/actions/detect-workflow/main_test.go | 8 ++++-- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/.github/actions/detect-workflow/main.go b/.github/actions/detect-workflow/main.go index 0a66903452..89e880fb78 100644 --- a/.github/actions/detect-workflow/main.go +++ b/.github/actions/detect-workflow/main.go @@ -28,14 +28,14 @@ import ( ) type action struct { - getenv func(string) string - event map[string]any - client *github.OIDCClient + getenv func(string) string + event map[string]any + getClient func() (*github.OIDCClient, error) } // TODO(github.com/slsa-framework/slsa-github-generator/issues/164): use the github context via the shared library -func newAction(getenv func(string) string, c *github.OIDCClient) (*action, error) { +func newAction(getenv func(string) string, getClient func() (*github.OIDCClient, error)) (*action, error) { eventPath := getenv("GITHUB_EVENT_PATH") if eventPath == "" { return nil, errors.New("GITHUB_EVENT_PATH not set") @@ -52,9 +52,9 @@ func newAction(getenv func(string) string, c *github.OIDCClient) (*action, error } return &action{ - getenv: getenv, - event: event, - client: c, + getenv: getenv, + event: event, + getClient: getClient, }, nil } @@ -107,7 +107,11 @@ func (a *action) getRepoRef(ctx context.Context) (string, string, error) { } audience = path.Join(audience, "detect-workflow") - t, err := a.client.Token(ctx, []string{audience}) + client, err := a.getClient() + if err != nil { + return "", "", fmt.Errorf("creating OIDC client: %w", err) + } + t, err := client.Token(ctx, []string{audience}) if err != nil { return "", "", fmt.Errorf("getting OIDC token: %w", err) } @@ -136,11 +140,7 @@ func (a *action) getRepoRef(ctx context.Context) (string, string, error) { } func main() { - c, err := github.NewOIDCClient() - if err != nil { - log.Fatal(err) - } - a, err := newAction(os.Getenv, c) + a, err := newAction(os.Getenv, github.NewOIDCClient) if err != nil { log.Fatal(err) } diff --git a/.github/actions/detect-workflow/main_test.go b/.github/actions/detect-workflow/main_test.go index 89950c69a5..7c70b40af9 100644 --- a/.github/actions/detect-workflow/main_test.go +++ b/.github/actions/detect-workflow/main_test.go @@ -122,7 +122,9 @@ func Test_action_getRepoRef(t *testing.T) { } return "" }, - client: c, + getClient: func() (*github.OIDCClient, error) { + return c, nil + }, } repo, ref, err := a.getRepoRef(context.Background()) @@ -151,7 +153,9 @@ func Test_action_getRepoRef(t *testing.T) { } return env[k] }, - client: c, + getClient: func() (*github.OIDCClient, error) { + return c, nil + }, event: map[string]any{ "pull_request": map[string]any{ "head": map[string]any{ From 1fba8203bf6ff0d003bddf54bb77676965ae6ea9 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 1 Jul 2022 05:55:52 +0000 Subject: [PATCH 05/24] Add BUILDER_DIR to generic workflow --- .github/workflows/generator_generic_slsa3.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index eb2764719e..62221e4800 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -29,6 +29,8 @@ env: VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21 VERIFIER_RELEASE: v1.1.1 + # Builder location + BUILDER_DIR: internal/builders on: workflow_call: From a41b963c2cbe5cd784c7b83c0167157709a7aa98 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 1 Jul 2022 06:21:42 +0000 Subject: [PATCH 06/24] Add BUILDER_DIR --- .github/workflows/generator_container_slsa3.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 2204e98fca..43eba2c39f 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -29,6 +29,8 @@ env: VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21 VERIFIER_RELEASE: v1.1.1 + # Builder location + BUILDER_DIR: internal/builders on: workflow_call: @@ -107,6 +109,7 @@ jobs: go-version: 1.18 binary: "${{ env.BUILDER_BINARY }}" compile-builder: "${{ inputs.compile-generator }}" + # NOTE: We are using the generic generator. directory: "${{ env.BUILDER_DIR }}/generic" # Note: here we need packages permissions From 894ddf8520e55c5c95a8b3dd064b095252aa00f0 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 1 Jul 2022 06:59:18 +0000 Subject: [PATCH 07/24] Fix args to builder --- .github/workflows/generator_container_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 43eba2c39f..76660b0de2 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -148,7 +148,7 @@ jobs: # Generate a predicate only. attestation_name="attestation.intoto.jsonl" predicate_name="predicate.json" - ./"$BUILDER_BINARY" attest -g="" --predicate="$predicate_name" + ./"$BUILDER_BINARY" attest --signature="" --predicate="$predicate_name" # TODO: Set --no-upload if inputs.upload-to-registry is false. COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \ From f4ce48f0b3d72fb3a544aac99c49b94d4ee0282a Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Tue, 5 Jul 2022 01:08:55 +0000 Subject: [PATCH 08/24] Sign the image as well --- .github/workflows/generator_container_slsa3.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 76660b0de2..5eb62456bd 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -150,6 +150,9 @@ jobs: predicate_name="predicate.json" ./"$BUILDER_BINARY" attest --signature="" --predicate="$predicate_name" + # FIXME: is this necessary? + COSIGN_EXPERIMENTAL=1 cosign sign "$UNTRUSTED_IMAGE" + # TODO: Set --no-upload if inputs.upload-to-registry is false. COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \ --type slsaprovenance \ From 99f70ed2b06f32ed79a9b207a1f089f4b3d938bf Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Tue, 5 Jul 2022 01:33:09 +0000 Subject: [PATCH 09/24] don't sign for now --- .github/workflows/generator_container_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 5eb62456bd..9095fc7ca6 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -151,7 +151,7 @@ jobs: ./"$BUILDER_BINARY" attest --signature="" --predicate="$predicate_name" # FIXME: is this necessary? - COSIGN_EXPERIMENTAL=1 cosign sign "$UNTRUSTED_IMAGE" + # COSIGN_EXPERIMENTAL=1 cosign sign "$UNTRUSTED_IMAGE" # TODO: Set --no-upload if inputs.upload-to-registry is false. COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \ From d37c7e243b73ffa757ed5e77576869574b3349bc Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Tue, 5 Jul 2022 02:15:57 +0000 Subject: [PATCH 10/24] Updates to inputs and domain parsing --- .../workflows/generator_container_slsa3.yml | 44 ++++--------------- 1 file changed, 8 insertions(+), 36 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 9095fc7ca6..dde37294fe 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -37,7 +37,7 @@ on: secrets: registry-password: description: "Password to log in the container registry." - required: false # NOTE: This is actually required right now. + required: true inputs: image: description: "The OCI image name." @@ -45,23 +45,13 @@ on: type: string registry-username: description: "Username to log into the container registry." - required: false # NOTE: This is actually required right now. + required: true type: string - # FIXME: support not uploading to registry. - # upload-to-registry: - # description: "If true the provenance is pushed to the container registry." - # required: false - # type: boolean - # default: true compile-generator: description: "Build the generator from source. This increases build time by ~2m." required: false type: boolean default: false - outputs: - attestation-name: - description: "The artifact name of the signed provenance" - value: ${{ jobs.generator.outputs.attestation-name }} jobs: # detect-env detects the reusable workflow's repository and ref for use later @@ -88,9 +78,6 @@ jobs: # with the release at the ref detected by `detect-env`. This must be a tag # reference. generator: - outputs: - attestation-name: ${{ steps.sign-prov.outputs.attestation-name }} - attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }} runs-on: ubuntu-latest needs: [detect-env] permissions: @@ -122,10 +109,12 @@ jobs: run: | set -euo pipefail + # NOTE: Some docker images are of the form / + # Here we get the first part and check if it has a '.' or ':' + # character in it to see if it's a domain name. + # See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949 untrusted_registry="docker.io" - - # HACK: Need to figure out a better way to do this. - maybe_domain=$(echo "$UNTRUSTED_IMAGE" | cut -f1 -d "/" | grep "\.") + maybe_domain=$(echo "$UNTRUSTED_IMAGE" | cut -f1 -d "/" | grep -E "\.|:") if [ "$maybe_domain" != "" ]; then untrusted_registry="$maybe_domain" fi @@ -136,9 +125,6 @@ jobs: - name: Create and sign provenance id: sign-prov shell: bash - # NOTE: Inputs and github context are set to environment variables in - # order to avoid script injection. - # See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections env: UNTRUSTED_IMAGE: "${{ inputs.image }}" GITHUB_CONTEXT: "${{ toJSON(github) }}" @@ -146,24 +132,10 @@ jobs: set -euo pipefail # Generate a predicate only. - attestation_name="attestation.intoto.jsonl" predicate_name="predicate.json" ./"$BUILDER_BINARY" attest --signature="" --predicate="$predicate_name" - # FIXME: is this necessary? - # COSIGN_EXPERIMENTAL=1 cosign sign "$UNTRUSTED_IMAGE" - - # TODO: Set --no-upload if inputs.upload-to-registry is false. COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \ --type slsaprovenance \ --force \ - "$UNTRUSTED_IMAGE" >"$attestation_name" - echo "::set-output name=attestation-name::$attestation_name" - - - name: Upload the signed provenance - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 - with: - name: "${{ steps.sign-prov.outputs.attestation-name }}" - path: "${{ steps.sign-prov.outputs.attestation-name }}" - if-no-files-found: error - retention-days: 5 + "$UNTRUSTED_IMAGE" From 9b4cf527098d47ec9da93c57fb51402ee5701a07 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Tue, 5 Jul 2022 03:22:26 +0000 Subject: [PATCH 11/24] Add basic usage docs for container workflow --- internal/builders/container/README.md | 261 ++++++++++++++++++++++++++ 1 file changed, 261 insertions(+) create mode 100644 internal/builders/container/README.md diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md new file mode 100644 index 0000000000..08a25ee6e7 --- /dev/null +++ b/internal/builders/container/README.md @@ -0,0 +1,261 @@ +# Generation of SLSA3+ provenance for container images + +This document explains how to generate SLSA provenance for container images. + +This can be done by adding an additional step to your existing Github Actions +workflow to call a [reusable +workflow](https://docs.github.com/en/actions/using-workflows/reusing-workflows) +to generate generic SLSA provenance. We'll call this workflow the "container +workflow" from now on. + +The container workflow differs from ecosystem specific builders (like the [Go +builder](../go)) which build the artifacts as well as generate provenance. This +project simply generates provenance as a separate step in an existing workflow. + +--- + +- [Project Status](#project-status) +- [Benefits of Provenance](#benefits-of-provenance) +- [Generating Provenance](#generating-provenance) + - [Getting Started](#getting-started) + - [Supported Triggers](#supported-triggers) + - [Workflow Inputs](#workflow-inputs) + - [Workflow Outputs](#workflow-outputs) + - [Provenance Format](#provenance-format) + - [Provenance Example](#provenance-example) + +--- + +## Project Status + +This workflow is currently under active development. The API could change while +approaching an initial release. + +## Benefits of Provenance + +Using the generic workflow will generate a non-forgeable attestation to the +container image using the identity of the GitHub workflow. This can be used +to create a positive attestation to a container image coming from your +repository. + +That means that once your users verify the image they have downloaded they +can be sure that the image was created by your repository's workflow and +hasn't been tampered with. + +## Generating Provenance + +The container workflow uses a Github Actions reusable workflow to generate the +provenance. + +### Getting Started + +To get started, you will need to add some steps to your current workflow. We +will assume you have an existing Github Actions workflow to build your project. + +```yaml +provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: read + packages: write + if: startsWith(github.ref, 'refs/tags/') + # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Use a tagged release once we have one. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main + with: + image: ${{ needs.build.outputs.tag }} + registry-username: ${{ github.actor }} + # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release. + compile-generator: true + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} +``` + +Here's an example of what it might look like all together. + +```yaml +jobs: + # This step builds our image, pushes it, and outputs the repo hash digest. + build: + permissions: + contents: read + packages: write + outputs: + tag: ${{ steps.hash.outputs.tag }} + sha: ${{ steps.hash.outputs.sha }} + runs-on: ubuntu-latest + steps: + - name: Checkout the repository + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0 + + - name: Authenticate Docker + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 + with: + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1 + with: + images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # v3.0.0 + id: build + with: + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Output digest + id: hash + env: + IMAGE_TAGS: ${{ steps.meta.outputs.tags }} + SHA: ${{ steps.build.outputs.digest }} + run: | + # sha output of docker/build-push-action is of the form 'sha256:' + sha=$(echo $SHA | cut -d':' -f2) + # docker/build-push-action outputs multiple tags including latest. + # It seems to put latest at the end of the list. + tag=$(echo "$IMAGE_TAGS" | head -n1) + echo "::set-output name=tag::$tag" + echo "::set-output name=sha::$sha" + + # This step calls the container workflow to generate provenance and push it to + # the container registry. + provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: read + packages: write + if: startsWith(github.ref, 'refs/tags/') + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main + with: + # XXX: should this use the sha instead of the tag? + image: ${{ needs.build.outputs.tag }} + registry-username: ${{ github.actor }} + # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release. + compile-generator: true + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} +``` + +### Supported Triggers + +The following [GitHub trigger events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) are fully supported and tested: + +- `schedule` +- `push` (including new tags) +- `release` +- Manual run via `workflow_dispatch` + +However, in practice, most triggers should work with the exception of +`pull_request`. If you would like support for `pull_request`, please tell us +about your use case on [issue #358](https://github.com/slsa-framework/slsa-github-generator/issues/358). If +you have an issue in all other triggers please submit a [new +issue](https://github.com/slsa-framework/slsa-github-generator/issues/new/choose). + +### Workflow Inputs + +The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following inputs: + +Inputs: + +| Name | Required | Description | +| ------------------- | -------- | ------------------------------------------------------------------ | +| `image` | yes | The OCI image name. | +| `registry-username` | yes | Username to log into the container registry. | +| `compile-generator` | false | Build the generator from source. This increases build time by ~2m. | + +Secrets: + +| Name | Required | Description | +| ------------------- | -------- | ------------------------------------------ | +| `registry-password` | yes | Password to log in the container registry. | + +### Provenance Format + +The project generates SLSA provenance with the following values. + +| Name | Value | Description | +| ---------------------------- | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `buildType` | `"https://github.com/slsa-framework/slsa-github-generator@v1"` | Identifies a generic GitHub Actions build. | +| `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. | + +### Provenance Example + +The following is an example of the generated proveanance. Provenance is +generated as an [in-toto](https://in-toto.io/) statement with a SLSA predicate. + +```json +{ + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": [ + { + "name": "ghcr.io/ianlewis/actions-test", + "digest": { + "sha256": "8ae83e5b11e4cc8257f5f4d1023081ba1c72e8e60e8ed6cacd0d53a4ca2d142b" + } + }, + ], + "predicate": { + "builder": { + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.1.1" + }, + "buildType": "https://github.com/slsa-framework/slsa-github-generator@v1", + "invocation": { + "configSource": { + "uri": "git+https://github.com/ianlewis/actions-test@refs/heads/main.git", + "digest": { + "sha1": "e491e4b2ce5bc76fb103729b61b04d3c46d8a192" + }, + "entryPoint": ".github/workflows/generic-container.yml" + }, + "parameters": {}, + "environment": { + "github_actor": "ianlewis", + "github_actor_id": "49289", + "github_base_ref": "", + "github_event_name": "push", + "github_event_payload": {...}, + "github_head_ref": "", + "github_ref": "refs/tags/v0.0.9", + "github_ref_type": "tag", + "github_repository_id": "474793590", + "github_repository_owner": "ianlewis", + "github_repository_owner_id": "49289", + "github_run_attempt": "1", + "github_run_id": "2556669934", + "github_run_number": "12", + "github_sha1": "e491e4b2ce5bc76fb103729b61b04d3c46d8a192" + } + }, + "metadata": { + "buildInvocationID": "2556669934-1", + "completeness": { + "parameters": true, + "environment": false, + "materials": false + }, + "reproducible": false + }, + "materials": [ + { + "uri": "git+https://github.com/ianlewis/actions-test@refs/tags/v0.0.9", + "digest": { + "sha1": "e491e4b2ce5bc76fb103729b61b04d3c46d8a192" + } + } + ] + } +} +``` From 8b548af664d224cff38571a787185f7d1bb4270c Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 6 Jul 2022 00:15:50 +0000 Subject: [PATCH 12/24] docs fixes --- internal/builders/container/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 08a25ee6e7..e034ff6050 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -33,7 +33,7 @@ approaching an initial release. ## Benefits of Provenance -Using the generic workflow will generate a non-forgeable attestation to the +Using the container workflow will generate a non-forgeable attestation to the container image using the identity of the GitHub workflow. This can be used to create a positive attestation to a container image coming from your repository. @@ -209,7 +209,7 @@ generated as an [in-toto](https://in-toto.io/) statement with a SLSA predicate. ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.1.1" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.1.1" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator@v1", "invocation": { From 7276289fe50efea3d7096e781b474eb083ca9f07 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 6 Jul 2022 01:24:15 +0000 Subject: [PATCH 13/24] Update example to use the image digest --- internal/builders/container/README.md | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index e034ff6050..37dfdcfa4e 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -82,8 +82,7 @@ jobs: contents: read packages: write outputs: - tag: ${{ steps.hash.outputs.tag }} - sha: ${{ steps.hash.outputs.sha }} + image-and-digest: ${{ steps.digest.outputs.image }} runs-on: ubuntu-latest steps: - name: Checkout the repository @@ -113,19 +112,17 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Output digest - id: hash + - name: Output image and digest + id: digest env: - IMAGE_TAGS: ${{ steps.meta.outputs.tags }} - SHA: ${{ steps.build.outputs.digest }} + DIGEST: ${{ steps.build.outputs.digest }} run: | - # sha output of docker/build-push-action is of the form 'sha256:' - sha=$(echo $SHA | cut -d':' -f2) - # docker/build-push-action outputs multiple tags including latest. - # It seems to put latest at the end of the list. - tag=$(echo "$IMAGE_TAGS" | head -n1) - echo "::set-output name=tag::$tag" - echo "::set-output name=sha::$sha" + # NOTE: We need to use the image and digest in order to make sure + # that the image we attest has not been modified. + # NOTE: The digest output from docker/build-push-action is of the + # form "sha256:" + image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}@${DIGEST}" + echo "::set-output name=image::$image_name" # This step calls the container workflow to generate provenance and push it to # the container registry. @@ -139,8 +136,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main with: - # XXX: should this use the sha instead of the tag? - image: ${{ needs.build.outputs.tag }} + image: ${{ needs.build.outputs.image-and-digest }} registry-username: ${{ github.actor }} # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release. compile-generator: true From ed01d20b5c955171cb3d112006d9b40153c0c4b6 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 6 Jul 2022 01:32:46 +0000 Subject: [PATCH 14/24] Add a separate digest input --- .github/workflows/generator_container_slsa3.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index dde37294fe..270602ca13 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -40,7 +40,11 @@ on: required: true inputs: image: - description: "The OCI image name." + description: "The OCI image name. This must not include a tag or digest." + required: true + type: string + digest: + description: "The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...')" required: true type: string registry-username: @@ -127,6 +131,7 @@ jobs: shell: bash env: UNTRUSTED_IMAGE: "${{ inputs.image }}" + UNTRUSTED_DIGEST: "${{ inputs.digest }}" GITHUB_CONTEXT: "${{ toJSON(github) }}" run: | set -euo pipefail @@ -138,4 +143,4 @@ jobs: COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \ --type slsaprovenance \ --force \ - "$UNTRUSTED_IMAGE" + "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}" From a15cb3d2c1b409a960c4a5bd4db9ec5e64e5f911 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 6 Jul 2022 02:36:57 +0000 Subject: [PATCH 15/24] Add digest input to docs --- internal/builders/container/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 37dfdcfa4e..f6f4f1eccf 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -20,7 +20,6 @@ project simply generates provenance as a separate step in an existing workflow. - [Getting Started](#getting-started) - [Supported Triggers](#supported-triggers) - [Workflow Inputs](#workflow-inputs) - - [Workflow Outputs](#workflow-outputs) - [Provenance Format](#provenance-format) - [Provenance Example](#provenance-example) @@ -165,11 +164,12 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator Inputs: -| Name | Required | Description | -| ------------------- | -------- | ------------------------------------------------------------------ | -| `image` | yes | The OCI image name. | -| `registry-username` | yes | Username to log into the container registry. | -| `compile-generator` | false | Build the generator from source. This increases build time by ~2m. | +| Name | Required | Description | +| ------------------- | -------- | --------------------------------------------------------------------------------------------------- | +| `image` | yes | The OCI image name. This must not include a tag or digest. | +| `digest` | yes | The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...') | +| `registry-username` | yes | Username to log into the container registry. | +| `compile-generator` | false | Build the generator from source. This increases build time by ~2m. | Secrets: From 05e7f7b9c407fa6b81f5a27a23c3d2fb11eb44fe Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 7 Jul 2022 12:48:45 +0900 Subject: [PATCH 16/24] Update internal/builders/container/README.md Co-authored-by: Joshua Lock --- internal/builders/container/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index f6f4f1eccf..2c3be32d3e 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -169,7 +169,7 @@ Inputs: | `image` | yes | The OCI image name. This must not include a tag or digest. | | `digest` | yes | The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...') | | `registry-username` | yes | Username to log into the container registry. | -| `compile-generator` | false | Build the generator from source. This increases build time by ~2m. | +| `compile-generator` | false | Whether to build the generator from source. This increases build time by ~2m. | Secrets: From 0cf0b4995a45f6f9b06ec09f648fec8975d119c5 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 7 Jul 2022 03:57:22 +0000 Subject: [PATCH 17/24] Update comments --- .github/workflows/generator_container_slsa3.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 270602ca13..c5a5945a97 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -85,11 +85,13 @@ jobs: runs-on: ubuntu-latest needs: [detect-env] permissions: - id-token: write # Needed for keyless. + # id-token:write is needed to create an OCID token for keyless signing. + id-token: write contents: read # actions permissions are needed to read info on the workflow and # workflow run. actions: read + # packages:write permissions are needed to login and upload attestations. packages: write steps: - name: Generate builder @@ -103,7 +105,6 @@ jobs: # NOTE: We are using the generic generator. directory: "${{ env.BUILDER_DIR }}/generic" - # Note: here we need packages permissions - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 # v2.4.0 - name: Login env: From a4a692241141e4fe18c1863c5b2f13bed92ac024 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 7 Jul 2022 03:57:44 +0000 Subject: [PATCH 18/24] comment out contents:read to test --- .github/workflows/generator_container_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index c5a5945a97..6fc0fab484 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -87,7 +87,7 @@ jobs: permissions: # id-token:write is needed to create an OCID token for keyless signing. id-token: write - contents: read + # contents: read # actions permissions are needed to read info on the workflow and # workflow run. actions: read From a7c38dcb2e634adc8f25315620e0b543e9aaa8c7 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 7 Jul 2022 03:59:01 +0000 Subject: [PATCH 19/24] comment out contents:read to test --- .github/workflows/generator_container_slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 6fc0fab484..9e0f0b8e8b 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -14,8 +14,8 @@ name: SLSA container image provenance -permissions: - contents: read +# permissions: +# contents: read env: # Generator From 160b3204fc6332e6d8e588c722b95c6e1dd494cf Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 7 Jul 2022 04:30:55 +0000 Subject: [PATCH 20/24] remove contents:read permissions --- .github/workflows/generator_container_slsa3.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 9e0f0b8e8b..5dfaf039fc 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -14,9 +14,6 @@ name: SLSA container image provenance -# permissions: -# contents: read - env: # Generator BUILDER_BINARY: generic-generator @@ -87,7 +84,6 @@ jobs: permissions: # id-token:write is needed to create an OCID token for keyless signing. id-token: write - # contents: read # actions permissions are needed to read info on the workflow and # workflow run. actions: read From c12b0a3d0ad1ece50b29c4549048cb73e0f97a6d Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 7 Jul 2022 04:32:52 +0000 Subject: [PATCH 21/24] remove contents:read from docs --- internal/builders/container/README.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 2c3be32d3e..d18f30fb17 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -55,10 +55,9 @@ will assume you have an existing Github Actions workflow to build your project. provenance: needs: [build] permissions: - actions: read - id-token: write - contents: read - packages: write + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OCID tokens for signing. + packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/') # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Use a tagged release once we have one. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main @@ -128,10 +127,9 @@ jobs: provenance: needs: [build] permissions: - actions: read - id-token: write - contents: read - packages: write + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OCID tokens for signing. + packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main with: @@ -169,7 +167,7 @@ Inputs: | `image` | yes | The OCI image name. This must not include a tag or digest. | | `digest` | yes | The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...') | | `registry-username` | yes | Username to log into the container registry. | -| `compile-generator` | false | Whether to build the generator from source. This increases build time by ~2m. | +| `compile-generator` | false | Whether to build the generator from source. This increases build time by ~2m. | Secrets: From cb48241e96221142f0d55ba2b18698f6c82b1fa9 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Sun, 10 Jul 2022 23:42:10 +0000 Subject: [PATCH 22/24] Fix repository domain check --- .github/workflows/generator_container_slsa3.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 5dfaf039fc..4d8989cdab 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -115,7 +115,8 @@ jobs: # character in it to see if it's a domain name. # See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949 untrusted_registry="docker.io" - maybe_domain=$(echo "$UNTRUSTED_IMAGE" | cut -f1 -d "/" | grep -E "\.|:") + # NOTE: Do not fail the script if grep does not match. + maybe_domain=$(echo "$UNTRUSTED_IMAGE" | cut -f1 -d "/" | { grep -E "\.|:" || true; }) if [ "$maybe_domain" != "" ]; then untrusted_registry="$maybe_domain" fi From 493a82a770c6ff3618d0c3af2d2f15f7f3d90f8d Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Mon, 11 Jul 2022 00:15:47 +0000 Subject: [PATCH 23/24] Update docs --- internal/builders/container/README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index d18f30fb17..587c5110fa 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -73,6 +73,10 @@ provenance: Here's an example of what it might look like all together. ```yaml +env: + IMAGE_REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: # This step builds our image, pushes it, and outputs the repo hash digest. build: @@ -80,7 +84,7 @@ jobs: contents: read packages: write outputs: - image-and-digest: ${{ steps.digest.outputs.image }} + image: ${{ steps.image.outputs.image }} runs-on: ubuntu-latest steps: - name: Checkout the repository @@ -110,16 +114,12 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Output image and digest - id: digest - env: - DIGEST: ${{ steps.build.outputs.digest }} + - name: Output image + id: image run: | - # NOTE: We need to use the image and digest in order to make sure - # that the image we attest has not been modified. - # NOTE: The digest output from docker/build-push-action is of the - # form "sha256:" - image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}@${DIGEST}" + # NOTE: Set the image as an output because the `env` context is not + # available to the inputs of a reusable workflow call. + image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" echo "::set-output name=image::$image_name" # This step calls the container workflow to generate provenance and push it to @@ -133,7 +133,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main with: - image: ${{ needs.build.outputs.image-and-digest }} + image: ${{ needs.build.outputs.image }} registry-username: ${{ github.actor }} # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release. compile-generator: true From d0c9e91190220cef4b2ff282ff5f3b8467316da2 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Mon, 11 Jul 2022 00:20:07 +0000 Subject: [PATCH 24/24] fix whitespace --- internal/builders/container/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 587c5110fa..05094e4eaf 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -117,7 +117,7 @@ jobs: - name: Output image id: image run: | - # NOTE: Set the image as an output because the `env` context is not + # NOTE: Set the image as an output because the `env` context is not # available to the inputs of a reusable workflow call. image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" echo "::set-output name=image::$image_name"