1
0
Fork 0

new GHA build provenance

Signed-off-by: Brian DeHamer <bdehamer@github.com>
pull/1745/head
Brian DeHamer 2024-06-05 14:36:23 -07:00
parent c6b487124a
commit 73100a7f85
No known key found for this signature in database
6 changed files with 12 additions and 9 deletions

View File

@ -3,6 +3,7 @@
### 1.3.0 ### 1.3.0
- Dynamic construction of Sigstore API URLs - Dynamic construction of Sigstore API URLs
- Switch to new GH provenance build type
- Bump @sigstore/bundle from 2.3.0 to 2.3.2 - Bump @sigstore/bundle from 2.3.0 to 2.3.2
- Bump @sigstore/sign from 2.3.0 to 2.3.2 - Bump @sigstore/sign from 2.3.0 to 2.3.2

View File

@ -4,7 +4,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
{ {
"params": { "params": {
"buildDefinition": { "buildDefinition": {
"buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1", "buildType": "https://actions.github.io/buildtypes/workflow/v1",
"externalParameters": { "externalParameters": {
"workflow": { "workflow": {
"path": ".github/workflows/main.yml", "path": ".github/workflows/main.yml",
@ -17,6 +17,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
"event_name": "push", "event_name": "push",
"repository_id": "repo-id", "repository_id": "repo-id",
"repository_owner_id": "owner-id", "repository_owner_id": "owner-id",
"runner_environment": "github-hosted",
}, },
}, },
"resolvedDependencies": [ "resolvedDependencies": [
@ -30,7 +31,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
}, },
"runDetails": { "runDetails": {
"builder": { "builder": {
"id": "https://github.com/actions/runner/github-hosted", "id": "https://github.com/owner/workflows/.github/workflows/publish.yml@main",
}, },
"metadata": { "metadata": {
"invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt", "invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",

View File

@ -45,7 +45,8 @@ describe('getIDTokenClaims', () => {
sha: 'sha', sha: 'sha',
repository: 'repo', repository: 'repo',
event_name: 'push', event_name: 'push',
workflow_ref: 'main', job_workflow_ref: 'job_workflow_ref',
workflow_ref: 'workflow',
repository_id: '1', repository_id: '1',
repository_owner_id: '1', repository_owner_id: '1',
runner_environment: 'github-hosted', runner_environment: 'github-hosted',

View File

@ -23,6 +23,7 @@ describe('provenance functions', () => {
repository: 'owner/repo', repository: 'owner/repo',
ref: 'refs/heads/main', ref: 'refs/heads/main',
sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b', sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
job_workflow_ref: 'owner/workflows/.github/workflows/publish.yml@main',
workflow_ref: 'owner/repo/.github/workflows/main.yml@main', workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
event_name: 'push', event_name: 'push',
repository_id: 'repo-id', repository_id: 'repo-id',

View File

@ -11,6 +11,7 @@ const REQUIRED_CLAIMS = [
'sha', 'sha',
'repository', 'repository',
'event_name', 'event_name',
'job_workflow_ref',
'workflow_ref', 'workflow_ref',
'repository_id', 'repository_id',
'repository_owner_id', 'repository_owner_id',

View File

@ -3,10 +3,7 @@ import {getIDTokenClaims} from './oidc'
import type {Attestation, Predicate} from './shared.types' import type {Attestation, Predicate} from './shared.types'
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1' const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'
const GITHUB_BUILD_TYPE =
'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'
const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com' const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
@ -55,7 +52,8 @@ export const buildSLSAProvenancePredicate = async (
github: { github: {
event_name: claims.event_name, event_name: claims.event_name,
repository_id: claims.repository_id, repository_id: claims.repository_id,
repository_owner_id: claims.repository_owner_id repository_owner_id: claims.repository_owner_id,
runner_environment: claims.runner_environment
} }
}, },
resolvedDependencies: [ resolvedDependencies: [
@ -69,7 +67,7 @@ export const buildSLSAProvenancePredicate = async (
}, },
runDetails: { runDetails: {
builder: { builder: {
id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}` id: `${serverURL}/${claims.job_workflow_ref}`
}, },
metadata: { metadata: {
invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}` invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`