From bcd14b2afe509440fee1bc1efc411b410674d084 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 Jan 2023 23:08:20 +0000 Subject: [PATCH 01/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 135 +++++++++++++++++++++++++++++++ internal/sbom-wrapper/action.yml | 73 +++++++++++++++++ 2 files changed, 208 insertions(+) create mode 100644 .github/workflows/slsa3.yml create mode 100644 internal/sbom-wrapper/action.yml diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml new file mode 100644 index 00000000..7c562cf5 --- /dev/null +++ b/.github/workflows/slsa3.yml @@ -0,0 +1,135 @@ +name: Anchor SLSA3 SBOM builder + +permissions: + contents: read + +defaults: + run: + shell: bash + +on: + workflow_call: + + secrets: + registry-password: + required: false + description: "The registry password" + + github-token: + description: "Authorized secret GitHub Personal Access Token. Defaults to github.token" + required: false + default: ${{ github.token }} + + path: + required: false + description: "A path to a directory on the filesystem to scan" + default: "." + + file: + required: false + description: "A file on the filesystem to scan" + + image: + required: false + description: "A container image to scan" + + registry-username: + required: false + description: "The registry username" + + format: + required: false + description: "The SBOM format to export" + default: "spdx-json" + + artifact-name: + description: "The name to use for the SBOM file generated by this action" + required: false + + output-file: + required: false + description: "A file location to output the SBOM" + + syft-version: + required: false + description: "The version of Syft to use" + + dependency-snapshot: + required: false + description: "Upload to GitHub dependency snapshot API" + default: "false" + + upload-artifact: + required: false + description: "Upload artifact to workflow" + default: "true" + + upload-release-assets: + required: false + description: "Upload release assets" + default: "true" + + private-repository: + description: "TODO" + required: false + type: boolean + default: false + + # TODO + # provenance-overwrite: + # description: "overwrite provenance if already present" + # required: false + # type: boolean + # default: false + +jobs: + slsa-setup: + permissions: + id-token: write # For token creation. + outputs: + slsa-token: ${{ steps.generate.outputs.slsa-token }} + runs-on: ubuntu-latest + steps: + - name: Generate the token + id: generate + uses: laurentsimon/slsa-delegator/actions/setup-token@main + with: + slsa-workflow-recipient: "delegator_generic_slsa3.yml" + slsa-private-repository: true + slsa-runner-label: "ubuntu-latest" + slsa-build-action-path: "./internal/sbom-wrapper" + # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1575): mask sensitive fields. + slsa-workflow-inputs: ${{ toJson(inputs) }} + + slsa-run: + needs: [slsa-setup] + permissions: + id-token: write # For signing. + contents: write # For asset uploads. + actions: read # For the entrypoint. + packages: write + uses: laurentsimon/slsa-delegator/.github/workflows/delegator_generic_slsa3.yml@main + with: + slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} + secrets: + secret1: ${{ secrets.registry-password }} + secret2: ${{ secrets.github-token }} + + slsa-publish: + needs: [slsa-run] + permissions: + contents: write # For asset uploads. Optional + runs-on: ubuntu-latest + steps: + - name: Verify and publish + env: + SLSA_ATTESTATION_DOWNLOAD_NAME: ${{ needs.slsa-run.outputs.attestations-download-name }} + run: | + echo "download from $SLSA_ATTESTATION_DOWNLOAD_NAME" + echo "artifacts $ACTION_ARTIFACTS" + + # Download artifacts and provenance + # Verify thru slsa-verifier + + # Upload the attestation. + diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml new file mode 100644 index 00000000..adf53372 --- /dev/null +++ b/internal/sbom-wrapper/action.yml @@ -0,0 +1,73 @@ +name: Anchor SBOM internal Action + +description: Anchor SBOM internal Action + +inputs: + slsa-workflow-inputs: + description: 'All the inputs formatted as a map' + type: string + required: true + + slsa-layout-file: + description: 'Location to store the layout content' + type: string + required: true + + slsa-workflow-secret1: + description: 'secret1 stores the registry username' + type: string + required: true + + slsa-workflow-secret2: + description: 'secret2 stores the github-token' + type: string + required: true + +runs: + using: 'composite' + steps: + # This would call the main Action, e.g., ./../__TOOL_CHECKOUT_DIR__/ + # if path is left empty, the Action's action.yml is located at the root of the repository. + - name: Run main sbom-action Action + uses: ./../__TOOL_CHECKOUT_DIR__ + with: + path: ${{ fromJson(inputs.slsa-workflow-inputs).path }} + file: ${{ fromJson(inputs.slsa-workflow-inputs).file }} + image: ${{ fromJson(inputs.slsa-workflow-inputs).image }} + registry-username: ${{ fromJson(inputs.slsa-workflow-inputs).registry-username }} + format: ${{ fromJson(inputs.slsa-workflow-inputs).format }} + artifact-name: ${{ fromJson(inputs.slsa-workflow-inputs).artifact-name }} + output-file: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} + syft-version: ${{ fromJson(inputs.slsa-workflow-inputs).syft-version }} + dependency-snapshot: ${{ fromJson(inputs.slsa-workflow-inputs).dependency-snapshot }} + upload-artifact: ${{ fromJson(inputs.slsa-workflow-inputs).upload-artifact }} + upload-release-assets: ${{ fromJson(inputs.slsa-workflow-inputs).upload-release-assets }} + + - name: Generate layout file + id: generate-layout + env: + SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} + UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} + shell: bash + run: | + hash=$(sha256sum "$UNTRUSTED_OUTPUT_FILE" | awk '{print $1}') + attestation_name=$(readlink -m "$UNTRUSTED_OUTPUT_FILE") + echo "SLSA_OUTPUTS_ARTIFACTS_FILE: $SLSA_OUTPUTS_ARTIFACTS_FILE" + + cat <DATA + { + "version": 1, + "attestations": [ + { + "name": "$attestation_name.intoto", + "subjects": [ + { "name": "$attestation_name", + "digest": { "sha256": "853ff93762a06ddbf722c4ebe9ddd66d8f63ddaea97f521c3ecc20da7c976020" } + } + } + ] + } + EOF + + # Expected file with pre-defined output + cat DATA > "$SLSA_OUTPUTS_ARTIFACTS_FILE" \ No newline at end of file From ea6596876196e7ba0ce3078482df8ed3243c84da Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 Jan 2023 23:21:22 +0000 Subject: [PATCH 02/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index adf53372..98025f73 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -26,6 +26,9 @@ inputs: runs: using: 'composite' steps: + # NOTE: the repository is already cloned by the caller, so there's no need to + # checkout ourselves. + # This would call the main Action, e.g., ./../__TOOL_CHECKOUT_DIR__/ # if path is left empty, the Action's action.yml is located at the root of the repository. - name: Run main sbom-action Action From ae4f21489696999d7f382d98d2489a1a5c92e4f4 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 Jan 2023 23:32:06 +0000 Subject: [PATCH 03/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 -- internal/sbom-wrapper/action.yml | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 7c562cf5..cce14f49 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -18,12 +18,10 @@ on: github-token: description: "Authorized secret GitHub Personal Access Token. Defaults to github.token" required: false - default: ${{ github.token }} path: required: false description: "A path to a directory on the filesystem to scan" - default: "." file: required: false diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 98025f73..b97ce1ac 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -45,6 +45,9 @@ runs: dependency-snapshot: ${{ fromJson(inputs.slsa-workflow-inputs).dependency-snapshot }} upload-artifact: ${{ fromJson(inputs.slsa-workflow-inputs).upload-artifact }} upload-release-assets: ${{ fromJson(inputs.slsa-workflow-inputs).upload-release-assets }} + #TODO: verify that an empty value is equivalent to non-provided value. + registry-username: ${{ inputs.slsa-workflow-secret1 }} + github-token: ${{ inputs.slsa-workflow-secret2 }} - name: Generate layout file id: generate-layout From 113898179aea67c6d12d9ecac8991472db7e6b73 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 Jan 2023 23:38:11 +0000 Subject: [PATCH 04/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index cce14f49..ab8fc8e4 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -19,9 +19,11 @@ on: description: "Authorized secret GitHub Personal Access Token. Defaults to github.token" required: false + inputs: path: required: false description: "A path to a directory on the filesystem to scan" + default: "." file: required: false From e8a1faf3ae33e2bf8d40d26a831ed1b11de3be96 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 Jan 2023 23:41:56 +0000 Subject: [PATCH 05/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index ab8fc8e4..28ee83a5 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -24,50 +24,61 @@ on: required: false description: "A path to a directory on the filesystem to scan" default: "." + type: string file: required: false description: "A file on the filesystem to scan" + type: string image: required: false description: "A container image to scan" + type: string registry-username: required: false description: "The registry username" + type: string format: required: false description: "The SBOM format to export" default: "spdx-json" + type: string artifact-name: description: "The name to use for the SBOM file generated by this action" required: false + type: string output-file: required: false description: "A file location to output the SBOM" + type: string syft-version: required: false description: "The version of Syft to use" + type: string dependency-snapshot: required: false description: "Upload to GitHub dependency snapshot API" default: "false" + type: string upload-artifact: required: false description: "Upload artifact to workflow" default: "true" + type: string upload-release-assets: required: false description: "Upload release assets" default: "true" + type: string private-repository: description: "TODO" From fd2ce7324cae7a114b51757af3443dca4d99d519 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 Jan 2023 23:54:47 +0000 Subject: [PATCH 06/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index b97ce1ac..93b5a694 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -46,7 +46,7 @@ runs: upload-artifact: ${{ fromJson(inputs.slsa-workflow-inputs).upload-artifact }} upload-release-assets: ${{ fromJson(inputs.slsa-workflow-inputs).upload-release-assets }} #TODO: verify that an empty value is equivalent to non-provided value. - registry-username: ${{ inputs.slsa-workflow-secret1 }} + registry-password: ${{ inputs.slsa-workflow-secret1 }} github-token: ${{ inputs.slsa-workflow-secret2 }} - name: Generate layout file From 46edaede87de2ec3d393c9bcb6145cdbef2579e7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:01:19 +0000 Subject: [PATCH 07/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 93b5a694..0d89373f 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -47,7 +47,7 @@ runs: upload-release-assets: ${{ fromJson(inputs.slsa-workflow-inputs).upload-release-assets }} #TODO: verify that an empty value is equivalent to non-provided value. registry-password: ${{ inputs.slsa-workflow-secret1 }} - github-token: ${{ inputs.slsa-workflow-secret2 }} + github-token: ${{ inputs.slsa-workflow-secret2 || github.token }} - name: Generate layout file id: generate-layout From a248e1b816559db3f4747d47ac2d0f1807a2f338 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:02:45 +0000 Subject: [PATCH 08/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 0d89373f..ba8a7d5e 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -16,12 +16,13 @@ inputs: slsa-workflow-secret1: description: 'secret1 stores the registry username' type: string - required: true + required: false slsa-workflow-secret2: description: 'secret2 stores the github-token' type: string - required: true + required: false + default: ${{ github.token }} runs: using: 'composite' @@ -47,7 +48,7 @@ runs: upload-release-assets: ${{ fromJson(inputs.slsa-workflow-inputs).upload-release-assets }} #TODO: verify that an empty value is equivalent to non-provided value. registry-password: ${{ inputs.slsa-workflow-secret1 }} - github-token: ${{ inputs.slsa-workflow-secret2 || github.token }} + github-token: ${{ inputs.slsa-workflow-secret2 }} - name: Generate layout file id: generate-layout From 784bc69d38dd866c687024de1933c27136d3a742 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:12:02 +0000 Subject: [PATCH 09/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index ba8a7d5e..6047cc92 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -57,8 +57,11 @@ runs: UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash run: | - hash=$(sha256sum "$UNTRUSTED_OUTPUT_FILE" | awk '{print $1}') - attestation_name=$(readlink -m "$UNTRUSTED_OUTPUT_FILE") + filename=$(ls *.spdx.json) + echo "SBOM file: $filename" + hash=$(sha256sum "$filename" | awk '{print $1}') + attestation_name=$(basename $(readlink -m "$filename")) + echo "attestation_name: $attestation_name" echo "SLSA_OUTPUTS_ARTIFACTS_FILE: $SLSA_OUTPUTS_ARTIFACTS_FILE" cat <DATA From 125882dde72ba127316096b22af09dd83f2cc8e3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:19:41 +0000 Subject: [PATCH 10/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 6047cc92..809fb2af 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -22,7 +22,6 @@ inputs: description: 'secret2 stores the github-token' type: string required: false - default: ${{ github.token }} runs: using: 'composite' @@ -46,9 +45,8 @@ runs: dependency-snapshot: ${{ fromJson(inputs.slsa-workflow-inputs).dependency-snapshot }} upload-artifact: ${{ fromJson(inputs.slsa-workflow-inputs).upload-artifact }} upload-release-assets: ${{ fromJson(inputs.slsa-workflow-inputs).upload-release-assets }} - #TODO: verify that an empty value is equivalent to non-provided value. registry-password: ${{ inputs.slsa-workflow-secret1 }} - github-token: ${{ inputs.slsa-workflow-secret2 }} + github-token: ${{ inputs.slsa-workflow-secret2 || github.token}} - name: Generate layout file id: generate-layout From d6e20a099f3cc9deb74a318def5dab999f0ddd70 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:22:01 +0000 Subject: [PATCH 11/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 809fb2af..4f836c4e 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -55,6 +55,7 @@ runs: UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash run: | + tree filename=$(ls *.spdx.json) echo "SBOM file: $filename" hash=$(sha256sum "$filename" | awk '{print $1}') From c8144d19c8188df07e51b4ba0eaac208257fd32f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:35:47 +0000 Subject: [PATCH 12/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 4f836c4e..7cc84446 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -55,8 +55,7 @@ runs: UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash run: | - tree - filename=$(ls *.spdx.json) + filename=$(ls/tmp/sbom-action-*/) echo "SBOM file: $filename" hash=$(sha256sum "$filename" | awk '{print $1}') attestation_name=$(basename $(readlink -m "$filename")) From f0082b1f88bed21bde1684a2064659fa96e1bec1 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:38:27 +0000 Subject: [PATCH 13/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 7cc84446..a09068c7 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -55,7 +55,7 @@ runs: UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash run: | - filename=$(ls/tmp/sbom-action-*/) + filename=$(ls /tmp/sbom-action-*/) echo "SBOM file: $filename" hash=$(sha256sum "$filename" | awk '{print $1}') attestation_name=$(basename $(readlink -m "$filename")) From 781b053b8021d3986d1ddcaf5fc1dce25755c9c1 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:42:32 +0000 Subject: [PATCH 14/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 4 ++-- internal/sbom-wrapper/action.yml | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 28ee83a5..782d9d1a 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -81,7 +81,7 @@ on: type: string private-repository: - description: "TODO" + description: "Allow pubication of your repository name on the public Rekor log" required: false type: boolean default: false @@ -106,7 +106,7 @@ jobs: uses: laurentsimon/slsa-delegator/actions/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" - slsa-private-repository: true + slsa-private-repository: ${{ inputs.private-repository == 'true' }} slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1575): mask sensitive fields. diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index a09068c7..407c98b0 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -56,8 +56,9 @@ runs: shell: bash run: | filename=$(ls /tmp/sbom-action-*/) - echo "SBOM file: $filename" - hash=$(sha256sum "$filename" | awk '{print $1}') + dir=$(ls /tmp/ | sbom-action) + echo "SBOM file: $dir/$filename" + hash=$(sha256sum "$dir/$filename" | awk '{print $1}') attestation_name=$(basename $(readlink -m "$filename")) echo "attestation_name: $attestation_name" echo "SLSA_OUTPUTS_ARTIFACTS_FILE: $SLSA_OUTPUTS_ARTIFACTS_FILE" From 89a97a676649840992bf81fd884d0bfb21afdef5 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:44:52 +0000 Subject: [PATCH 15/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 407c98b0..b0dc2be0 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -55,8 +55,10 @@ runs: UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash run: | + # Just infer the filename for simplicitiy of the PoC. + # Production-ready code should consider `artifact-name` and `output-file inputs`. filename=$(ls /tmp/sbom-action-*/) - dir=$(ls /tmp/ | sbom-action) + dir=$(ls /tmp/ | grep sbom-action) echo "SBOM file: $dir/$filename" hash=$(sha256sum "$dir/$filename" | awk '{print $1}') attestation_name=$(basename $(readlink -m "$filename")) From f275bf9efdc26d618b173dcfd0960c113367687d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:47:56 +0000 Subject: [PATCH 16/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index b0dc2be0..1ee2d89b 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -59,6 +59,7 @@ runs: # Production-ready code should consider `artifact-name` and `output-file inputs`. filename=$(ls /tmp/sbom-action-*/) dir=$(ls /tmp/ | grep sbom-action) + fullname="/tmp/$dir/$filename" echo "SBOM file: $dir/$filename" hash=$(sha256sum "$dir/$filename" | awk '{print $1}') attestation_name=$(basename $(readlink -m "$filename")) From 2e36dd523a6fcba9c88c9bbfd129b5ccd43c5f18 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:51:14 +0000 Subject: [PATCH 17/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 1ee2d89b..5d25ae15 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -60,9 +60,10 @@ runs: filename=$(ls /tmp/sbom-action-*/) dir=$(ls /tmp/ | grep sbom-action) fullname="/tmp/$dir/$filename" + echo "SBOM file: $dir/$filename" - hash=$(sha256sum "$dir/$filename" | awk '{print $1}') - attestation_name=$(basename $(readlink -m "$filename")) + hash=$(sha256sum "$fullname" | awk '{print $1}') + attestation_name=$(basename $(readlink -m "$fullname")) echo "attestation_name: $attestation_name" echo "SLSA_OUTPUTS_ARTIFACTS_FILE: $SLSA_OUTPUTS_ARTIFACTS_FILE" From 2fafc9f1df61360f3e3c16e731652c9ffb01eb5e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 00:55:23 +0000 Subject: [PATCH 18/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 5d25ae15..7c40fe34 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -70,13 +70,20 @@ runs: cat <DATA { "version": 1, - "attestations": [ + "attestations": + [ { "name": "$attestation_name.intoto", - "subjects": [ - { "name": "$attestation_name", - "digest": { "sha256": "853ff93762a06ddbf722c4ebe9ddd66d8f63ddaea97f521c3ecc20da7c976020" } + "subjects": + [ + { + "name": "$attestation_name", + "digest": + { + "sha256": "853ff93762a06ddbf722c4ebe9ddd66d8f63ddaea97f521c3ecc20da7c976020" + } } + ] } ] } From 929ba2106ab1a262af93926479d78a52cf7699fa Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 01:34:42 +0000 Subject: [PATCH 19/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 7c40fe34..ab1a515d 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -29,7 +29,7 @@ runs: # NOTE: the repository is already cloned by the caller, so there's no need to # checkout ourselves. - # This would call the main Action, e.g., ./../__TOOL_CHECKOUT_DIR__/ + # This calls the main Action, e.g., ./../__TOOL_CHECKOUT_DIR__/ # if path is left empty, the Action's action.yml is located at the root of the repository. - name: Run main sbom-action Action uses: ./../__TOOL_CHECKOUT_DIR__ @@ -80,7 +80,7 @@ runs: "name": "$attestation_name", "digest": { - "sha256": "853ff93762a06ddbf722c4ebe9ddd66d8f63ddaea97f521c3ecc20da7c976020" + "sha256": "$hash" } } ] From 2f95a6a76eb2c68b248bcf15f29786bddbb863da Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 15:09:22 +0000 Subject: [PATCH 20/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 782d9d1a..70c700d8 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -132,15 +132,27 @@ jobs: contents: write # For asset uploads. Optional runs-on: ubuntu-latest steps: - - name: Verify and publish + - name: Download attestations + uses: actions/download-artifact@v3 + with: + name: ${{ needs.slsa-run.outputs.attestations-download-name }} + + - name: Verify attestations env: SLSA_ATTESTATION_DOWNLOAD_NAME: ${{ needs.slsa-run.outputs.attestations-download-name }} run: | echo "download from $SLSA_ATTESTATION_DOWNLOAD_NAME" echo "artifacts $ACTION_ARTIFACTS" - # Download artifacts and provenance - # Verify thru slsa-verifier + # TODO: Verify thru slsa-verifier + + - name: Upload SBOM provenance + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + if: startsWith(github.ref, 'refs/tags/') + with: + files: | + *.sigstore + - # Upload the attestation. + From 67f4becd92d7de2e4eeaf188f750d3962179b660 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 16:13:06 +0000 Subject: [PATCH 21/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 1 - internal/sbom-wrapper/action.yml | 57 ++++++++++++++++++-------------- 2 files changed, 33 insertions(+), 25 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 70c700d8..df61be41 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -142,7 +142,6 @@ jobs: SLSA_ATTESTATION_DOWNLOAD_NAME: ${{ needs.slsa-run.outputs.attestations-download-name }} run: | echo "download from $SLSA_ATTESTATION_DOWNLOAD_NAME" - echo "artifacts $ACTION_ARTIFACTS" # TODO: Verify thru slsa-verifier diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index ab1a515d..adaaa576 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -57,37 +57,46 @@ runs: run: | # Just infer the filename for simplicitiy of the PoC. # Production-ready code should consider `artifact-name` and `output-file inputs`. - filename=$(ls /tmp/sbom-action-*/) - dir=$(ls /tmp/ | grep sbom-action) - fullname="/tmp/$dir/$filename" + find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sigstore' > FILES - echo "SBOM file: $dir/$filename" - hash=$(sha256sum "$fullname" | awk '{print $1}') - attestation_name=$(basename $(readlink -m "$fullname")) - echo "attestation_name: $attestation_name" - echo "SLSA_OUTPUTS_ARTIFACTS_FILE: $SLSA_OUTPUTS_ARTIFACTS_FILE" + attestations=() + n=$(wc -l <./FILES) + i=1 + while IFS= read -r line; do + file="$line" - cat <DATA - { - "version": 1, - "attestations": - [ + echo "SBOM file: $file" + hash=$(sha256sum "$file" | awk '{print $1}') + attestation_name=$(basename "$(readlink -m "$file")") + read -r -d '' entry <<- EOM { - "name": "$attestation_name.intoto", - "subjects": - [ - { - "name": "$attestation_name", - "digest": - { - "sha256": "$hash" - } + "name": "$attestation_name", + "digest": + { + "sha256": "$hash" } - ] } - ] + EOM + if [[ $i -eq $n ]]; then + attestations+=("$entry") + else + attestations+=("$entry,") + fi + + i=$((i+1)) + done < FILES + + cat <DATA + { + "version": 1, + "attestations": + [ + ${attestations[@]} + ] } EOF + jq "$SLSA_OUTPUTS_ARTIFACTS_FILE" \ No newline at end of file From 69a9de3831d1e2c80a9e397a1d0ca2b46ce4a3e4 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 16:15:24 +0000 Subject: [PATCH 22/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index adaaa576..b85f2874 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -57,7 +57,7 @@ runs: run: | # Just infer the filename for simplicitiy of the PoC. # Production-ready code should consider `artifact-name` and `output-file inputs`. - find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sigstore' > FILES + sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sigstore' > FILES attestations=() n=$(wc -l <./FILES) From 8eef28445713473c2e1c84a3f192c28d7e525447 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 16:19:31 +0000 Subject: [PATCH 23/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- internal/sbom-wrapper/action.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index df61be41..a374ff4a 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -128,6 +128,7 @@ jobs: slsa-publish: needs: [slsa-run] + if: startsWith(github.ref, 'refs/tags/') permissions: contents: write # For asset uploads. Optional runs-on: ubuntu-latest @@ -147,7 +148,6 @@ jobs: - name: Upload SBOM provenance uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 - if: startsWith(github.ref, 'refs/tags/') with: files: | *.sigstore diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index b85f2874..8325969d 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -57,6 +57,7 @@ runs: run: | # Just infer the filename for simplicitiy of the PoC. # Production-ready code should consider `artifact-name` and `output-file inputs`. + # NOTE: requires sudo to read protected /etc entries sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sigstore' > FILES attestations=() From a38ab930d892581c93c5e12ca7b900edf690a5cd Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 16:29:40 +0000 Subject: [PATCH 24/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index a374ff4a..d8f9b780 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -103,7 +103,7 @@ jobs: steps: - name: Generate the token id: generate - uses: laurentsimon/slsa-delegator/actions/setup-token@main + uses: slsa-framework/slsa-github-generator/actions/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-private-repository: ${{ inputs.private-repository == 'true' }} @@ -119,7 +119,7 @@ jobs: contents: write # For asset uploads. actions: read # For the entrypoint. packages: write - uses: laurentsimon/slsa-delegator/.github/workflows/delegator_generic_slsa3.yml@main + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From 9baabd92aab9a55bbc9db12593091e86c201152e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 16:38:40 +0000 Subject: [PATCH 25/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index d8f9b780..a374ff4a 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -103,7 +103,7 @@ jobs: steps: - name: Generate the token id: generate - uses: slsa-framework/slsa-github-generator/actions/setup-token@main + uses: laurentsimon/slsa-delegator/actions/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-private-repository: ${{ inputs.private-repository == 'true' }} @@ -119,7 +119,7 @@ jobs: contents: write # For asset uploads. actions: read # For the entrypoint. packages: write - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + uses: laurentsimon/slsa-delegator/.github/workflows/delegator_generic_slsa3.yml@main with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From 3345d0de28f4f366c923864d053aca51aaec82bf Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 17:01:57 +0000 Subject: [PATCH 26/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 8325969d..d9e982c0 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -68,10 +68,10 @@ runs: echo "SBOM file: $file" hash=$(sha256sum "$file" | awk '{print $1}') - attestation_name=$(basename "$(readlink -m "$file")") + subject_name=$(basename "$(readlink -m "$file")") read -r -d '' entry <<- EOM { - "name": "$attestation_name", + "name": "$subject_name", "digest": { "sha256": "$hash" @@ -92,11 +92,16 @@ runs: "version": 1, "attestations": [ - ${attestations[@]} + { + "name": "attestation.intoto", + "subjects": + [ + ${attestations[@]} + ] + } ] } EOF - jq Date: Fri, 27 Jan 2023 17:16:56 +0000 Subject: [PATCH 27/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index d9e982c0..6295d971 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -58,7 +58,7 @@ runs: # Just infer the filename for simplicitiy of the PoC. # Production-ready code should consider `artifact-name` and `output-file inputs`. # NOTE: requires sudo to read protected /etc entries - sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sigstore' > FILES + sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sigstore' | tee ./FILES attestations=() n=$(wc -l <./FILES) From 6e20bde3d19075eecd7a07ab535b8e459e468f11 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 27 Jan 2023 21:03:08 +0000 Subject: [PATCH 28/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index a374ff4a..d8f9b780 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -103,7 +103,7 @@ jobs: steps: - name: Generate the token id: generate - uses: laurentsimon/slsa-delegator/actions/setup-token@main + uses: slsa-framework/slsa-github-generator/actions/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-private-repository: ${{ inputs.private-repository == 'true' }} @@ -119,7 +119,7 @@ jobs: contents: write # For asset uploads. actions: read # For the entrypoint. packages: write - uses: laurentsimon/slsa-delegator/.github/workflows/delegator_generic_slsa3.yml@main + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From 0d5c8e42a1f39332a1b954e6c09e7af7a1dfb836 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:21:50 +0000 Subject: [PATCH 29/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 6295d971..63c1e975 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -58,7 +58,7 @@ runs: # Just infer the filename for simplicitiy of the PoC. # Production-ready code should consider `artifact-name` and `output-file inputs`. # NOTE: requires sudo to read protected /etc entries - sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sigstore' | tee ./FILES + sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sbom' | tee ./FILES attestations=() n=$(wc -l <./FILES) From b62719f9ee20af6f16bd0a0f9cc2796b66f7bbd4 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:23:18 +0000 Subject: [PATCH 30/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index d8f9b780..08c71514 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -103,7 +103,7 @@ jobs: steps: - name: Generate the token id: generate - uses: slsa-framework/slsa-github-generator/actions/setup-token@main + uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-private-repository: ${{ inputs.private-repository == 'true' }} From 1ae6ae83a0e310f3357b314bc242fde3f42f2c7e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:25:36 +0000 Subject: [PATCH 31/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 63c1e975..b2277d06 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -58,7 +58,7 @@ runs: # Just infer the filename for simplicitiy of the PoC. # Production-ready code should consider `artifact-name` and `output-file inputs`. # NOTE: requires sudo to read protected /etc entries - sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.sbom' | tee ./FILES + sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.json' | tee ./FILES attestations=() n=$(wc -l <./FILES) From 66a41f306ccf55a2adff630d41b6864da6fbbfc5 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:37:04 +0000 Subject: [PATCH 32/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 54 +----------------------- internal/sbom-wrapper/generate-layout.sh | 49 +++++++++++++++++++++ 2 files changed, 51 insertions(+), 52 deletions(-) create mode 100755 internal/sbom-wrapper/generate-layout.sh diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index b2277d06..cc04ecb2 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,55 +54,5 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash - run: | - # Just infer the filename for simplicitiy of the PoC. - # Production-ready code should consider `artifact-name` and `output-file inputs`. - # NOTE: requires sudo to read protected /etc entries - sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.json' | tee ./FILES - - attestations=() - n=$(wc -l <./FILES) - i=1 - while IFS= read -r line; do - file="$line" - - echo "SBOM file: $file" - hash=$(sha256sum "$file" | awk '{print $1}') - subject_name=$(basename "$(readlink -m "$file")") - read -r -d '' entry <<- EOM - { - "name": "$subject_name", - "digest": - { - "sha256": "$hash" - } - } - EOM - if [[ $i -eq $n ]]; then - attestations+=("$entry") - else - attestations+=("$entry,") - fi - - i=$((i+1)) - done < FILES - - cat <DATA - { - "version": 1, - "attestations": - [ - { - "name": "attestation.intoto", - "subjects": - [ - ${attestations[@]} - ] - } - ] - } - EOF - jq "$SLSA_OUTPUTS_ARTIFACTS_FILE" \ No newline at end of file + working-directory: ./../__TOOL_CHECKOUT_DIR__/internal/sbom-wrapper + run: ./generate-layout.sh \ No newline at end of file diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh new file mode 100755 index 00000000..01e6af53 --- /dev/null +++ b/internal/sbom-wrapper/generate-layout.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +#find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES +sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.json' | tee ./FILES + +attestations=() +n=$(wc -l <./FILES) +i=1 +while IFS= read -r line; do + file="$line" + + echo "SBOM file: $file" + hash=$(sha256sum "$file" | awk '{print $1}') + subject_name=$(basename "$(readlink -m "$file")") + read -r -d '' entry <<- EOM + { + "name": "$subject_name", + "digest": + { + "sha256": "$hash" + } + } +EOM + if [[ $i -eq $n ]]; then + attestations+=("$entry") + else + attestations+=("$entry,") + fi + + i=$((i+1)) +done < FILES + +cat <DATA +{ + "version": 1, + "attestations": + [ + { + "name": "attestation.intoto", + "subjects": + [ + ${attestations[@]} + ] + } + ] +} +EOF +cat DATA +jq Date: Mon, 30 Jan 2023 17:40:37 +0000 Subject: [PATCH 33/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index cc04ecb2..9c2209ad 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,5 +54,7 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash - working-directory: ./../__TOOL_CHECKOUT_DIR__/internal/sbom-wrapper - run: ./generate-layout.sh \ No newline at end of file + run: | + pwd + tree + ./../__TOOL_CHECKOUT_DIR__/internal/sbom-wrapper/generate-layout.sh \ No newline at end of file From dbe612cbbf44dbde67f54c0393113106e92cb82b Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:44:09 +0000 Subject: [PATCH 34/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 9c2209ad..e7ec4990 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,7 +54,8 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash + working-directory: ./../__TOOL_CHECKOUT_DIR__/internal/sbom-wrapper run: | pwd tree - ./../__TOOL_CHECKOUT_DIR__/internal/sbom-wrapper/generate-layout.sh \ No newline at end of file + ./generate-layout.sh \ No newline at end of file From c789be98fc44eeb03a62e8996d91099ce028a8ba Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:48:02 +0000 Subject: [PATCH 35/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index e7ec4990..11bb4b00 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,8 +54,4 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash - working-directory: ./../__TOOL_CHECKOUT_DIR__/internal/sbom-wrapper - run: | - pwd - tree - ./generate-layout.sh \ No newline at end of file + run: ./generate-layout.sh \ No newline at end of file From 94086631ea4208f6ff95b31fb0b33e5c304e4d0d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:50:15 +0000 Subject: [PATCH 36/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 11bb4b00..c07e8086 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,4 +54,7 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash - run: ./generate-layout.sh \ No newline at end of file + run: | + pwd + tee + ./generate-layout.sh \ No newline at end of file From b147de841cea4cf90975eb7f9f5b1c7d12a2c5ac Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:51:04 +0000 Subject: [PATCH 37/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index c07e8086..f234646e 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -57,4 +57,8 @@ runs: run: | pwd tee + echo '--' + cd ../ + tee + cd ../ ./generate-layout.sh \ No newline at end of file From 7461b9951ae1bf1477ed8b8770992bbb426e3759 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:55:22 +0000 Subject: [PATCH 38/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index f234646e..aa3214e3 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -55,10 +55,15 @@ runs: UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash run: | + echo "Action:" pwd tee - echo '--' + echo + echo "Previous pwd:" cd ../ tee - cd ../ + echo + echo "Run:" + cd - + pwd ./generate-layout.sh \ No newline at end of file From f87a36bf4896cdef81cabd4a7a9d1176432430ec Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 17:59:20 +0000 Subject: [PATCH 39/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index aa3214e3..1f750ef3 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -57,11 +57,11 @@ runs: run: | echo "Action:" pwd - tee + tree echo echo "Previous pwd:" cd ../ - tee + tree echo echo "Run:" cd - From 16f645708c9b37e0afb6f3e0012e89370ccacc98 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 18:06:07 +0000 Subject: [PATCH 40/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 1f750ef3..cbb71fdd 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,16 +54,5 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash - run: | - echo "Action:" - pwd - tree - echo - echo "Previous pwd:" - cd ../ - tree - echo - echo "Run:" - cd - - pwd - ./generate-layout.sh \ No newline at end of file + working-directory: ../__TOOL_ACTION_DIR__ + run: ./generate-layout.sh \ No newline at end of file From 05008cc3019e4b0ae08af952f42bceed019fae98 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 18:06:37 +0000 Subject: [PATCH 41/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index cbb71fdd..a32a34f6 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,5 +54,5 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash - working-directory: ../__TOOL_ACTION_DIR__ + working-directory: ./../__TOOL_ACTION_DIR__ run: ./generate-layout.sh \ No newline at end of file From e74a9eb0cc37f69fdac44608c5f1e1140fc815cb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 18:09:20 +0000 Subject: [PATCH 42/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index a32a34f6..b9a228fa 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -54,5 +54,5 @@ runs: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash - working-directory: ./../__TOOL_ACTION_DIR__ - run: ./generate-layout.sh \ No newline at end of file + # The `slsa-build-action-path` is available at `./../__TOOL_ACTION_DIR__`. + run: ./../__TOOL_ACTION_DIR__/generate-layout.sh \ No newline at end of file From 63203552b47ed97997dfbe2ee3a09eb4a3a4c819 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 18:15:30 +0000 Subject: [PATCH 43/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/generate-layout.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh index 01e6af53..e04f53b9 100755 --- a/internal/sbom-wrapper/generate-layout.sh +++ b/internal/sbom-wrapper/generate-layout.sh @@ -45,5 +45,8 @@ cat <DATA ] } EOF -cat DATA -jq "$SLSA_OUTPUTS_ARTIFACTS_FILE" \ No newline at end of file From d71a9472a43d0baa07ec2ae5833a4754d05466b7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 18:18:49 +0000 Subject: [PATCH 44/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/generate-layout.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh index e04f53b9..c6fac309 100755 --- a/internal/sbom-wrapper/generate-layout.sh +++ b/internal/sbom-wrapper/generate-layout.sh @@ -1,7 +1,7 @@ #!/bin/bash #find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES -sudo find /etc/ -maxdepth 2 -regex '/etc/sbom-action-.*/*.json' | tee ./FILES +sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.json' | tee ./FILES attestations=() n=$(wc -l <./FILES) From c3d2fd4f5c8c8870d1fef4ed01022e7a327fec07 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 21:19:19 +0000 Subject: [PATCH 45/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 08c71514..8f2b139f 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -80,8 +80,8 @@ on: default: "true" type: string - private-repository: - description: "Allow pubication of your repository name on the public Rekor log" + slsa-rekor-log-public: + description: "Allow publication of your repository name on the public Rekor log" required: false type: boolean default: false @@ -106,7 +106,7 @@ jobs: uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" - slsa-private-repository: ${{ inputs.private-repository == 'true' }} + slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public == 'true' }} slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1575): mask sensitive fields. From 24f4c9cd800d4c30b7da8dbc5152298d7b1f128b Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 21:33:31 +0000 Subject: [PATCH 46/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 12 +++++++----- internal/sbom-wrapper/action.yml | 14 ++++++++++++-- internal/sbom-wrapper/download-file.sh | 7 +++++++ internal/sbom-wrapper/generate-layout.sh | 1 + 4 files changed, 27 insertions(+), 7 deletions(-) create mode 100755 internal/sbom-wrapper/download-file.sh diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 8f2b139f..29d7e83c 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -26,9 +26,11 @@ on: default: "." type: string + # TODO: support for workflow_dispatch event + # by providing a `tag-name` input. file: required: false - description: "A file on the filesystem to scan" + description: "A file in a release asset to scan" type: string image: @@ -52,10 +54,10 @@ on: required: false type: string - output-file: - required: false - description: "A file location to output the SBOM" - type: string + # output-file: + # required: false + # description: "A file location to output the SBOM" + # type: string syft-version: required: false diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index b9a228fa..ea388b68 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -29,6 +29,16 @@ runs: # NOTE: the repository is already cloned by the caller, so there's no need to # checkout ourselves. + - name: Download artifact + if: ${{ startsWith(github.ref, 'refs/tags/') && fromJson(inputs.slsa-workflow-inputs).file != '' }} + env: + GH_TOKEN: ${{ github.token }} + REPO: ${{ github.repository }} + UNTRUSTED_TAG: ${{ github.ref }} + UNTRUSTED_ASSET: ${{ fromJson(inputs.slsa-workflow-inputs).file }} + run: ./../__TOOL_ACTION_DIR__/download-file.sh + + # This calls the main Action, e.g., ./../__TOOL_CHECKOUT_DIR__/ # if path is left empty, the Action's action.yml is located at the root of the repository. - name: Run main sbom-action Action @@ -40,7 +50,7 @@ runs: registry-username: ${{ fromJson(inputs.slsa-workflow-inputs).registry-username }} format: ${{ fromJson(inputs.slsa-workflow-inputs).format }} artifact-name: ${{ fromJson(inputs.slsa-workflow-inputs).artifact-name }} - output-file: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} + #output-file: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} syft-version: ${{ fromJson(inputs.slsa-workflow-inputs).syft-version }} dependency-snapshot: ${{ fromJson(inputs.slsa-workflow-inputs).dependency-snapshot }} upload-artifact: ${{ fromJson(inputs.slsa-workflow-inputs).upload-artifact }} @@ -52,7 +62,7 @@ runs: id: generate-layout env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} - UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} + #UNTRUSTED_OUTPUT_FILE: ${{ fromJson(inputs.slsa-workflow-inputs).output-file }} shell: bash # The `slsa-build-action-path` is available at `./../__TOOL_ACTION_DIR__`. run: ./../__TOOL_ACTION_DIR__/generate-layout.sh \ No newline at end of file diff --git a/internal/sbom-wrapper/download-file.sh b/internal/sbom-wrapper/download-file.sh new file mode 100755 index 00000000..b3206e7d --- /dev/null +++ b/internal/sbom-wrapper/download-file.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +set -euo pipefail + +# Download the file from the assets. +version=$(echo "$UNTRUSTED_TAG" | cut -f3 -d '/') +gh -R "$REPO" release download "$version" -p "$UNTRUSTED_ASSET" \ No newline at end of file diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh index c6fac309..c5f5da9d 100755 --- a/internal/sbom-wrapper/generate-layout.sh +++ b/internal/sbom-wrapper/generate-layout.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -euo pipefail #find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.json' | tee ./FILES From fa54baef623e182b4caca46d17a06b55bca6aa76 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 21:36:57 +0000 Subject: [PATCH 47/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 1 - internal/sbom-wrapper/download-file.sh | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index ea388b68..7743c71f 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -33,7 +33,6 @@ runs: if: ${{ startsWith(github.ref, 'refs/tags/') && fromJson(inputs.slsa-workflow-inputs).file != '' }} env: GH_TOKEN: ${{ github.token }} - REPO: ${{ github.repository }} UNTRUSTED_TAG: ${{ github.ref }} UNTRUSTED_ASSET: ${{ fromJson(inputs.slsa-workflow-inputs).file }} run: ./../__TOOL_ACTION_DIR__/download-file.sh diff --git a/internal/sbom-wrapper/download-file.sh b/internal/sbom-wrapper/download-file.sh index b3206e7d..43d84bec 100755 --- a/internal/sbom-wrapper/download-file.sh +++ b/internal/sbom-wrapper/download-file.sh @@ -4,4 +4,4 @@ set -euo pipefail # Download the file from the assets. version=$(echo "$UNTRUSTED_TAG" | cut -f3 -d '/') -gh -R "$REPO" release download "$version" -p "$UNTRUSTED_ASSET" \ No newline at end of file +gh release download "$version" -p "$UNTRUSTED_ASSET" \ No newline at end of file From 580af85db82cc1469cf57e1fead7a9cc0907615d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 21:52:33 +0000 Subject: [PATCH 48/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index 7743c71f..ad0a0851 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -35,6 +35,7 @@ runs: GH_TOKEN: ${{ github.token }} UNTRUSTED_TAG: ${{ github.ref }} UNTRUSTED_ASSET: ${{ fromJson(inputs.slsa-workflow-inputs).file }} + shell: bash run: ./../__TOOL_ACTION_DIR__/download-file.sh From 11a71c54fc7a216e7318c695723cbd409867bcda Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 30 Jan 2023 21:56:57 +0000 Subject: [PATCH 49/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/download-file.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/download-file.sh b/internal/sbom-wrapper/download-file.sh index 43d84bec..fbbdd142 100755 --- a/internal/sbom-wrapper/download-file.sh +++ b/internal/sbom-wrapper/download-file.sh @@ -4,4 +4,4 @@ set -euo pipefail # Download the file from the assets. version=$(echo "$UNTRUSTED_TAG" | cut -f3 -d '/') -gh release download "$version" -p "$UNTRUSTED_ASSET" \ No newline at end of file +gh release download "$version" -p "$UNTRUSTED_ASSET" --clobber \ No newline at end of file From c946204cd14c6c5764b8630d3a49f8fec9eb9a6f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 2 Feb 2023 17:53:22 +0000 Subject: [PATCH 50/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 29d7e83c..af994ed3 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -118,8 +118,7 @@ jobs: needs: [slsa-setup] permissions: id-token: write # For signing. - contents: write # For asset uploads. - actions: read # For the entrypoint. + contents: write # For asset uploads. packages: write uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main with: From 25bdaa133f182c1913d4a5bf373123e05541975c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 3 Feb 2023 20:48:35 +0000 Subject: [PATCH 51/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/generate-layout.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh index c5f5da9d..85422317 100755 --- a/internal/sbom-wrapper/generate-layout.sh +++ b/internal/sbom-wrapper/generate-layout.sh @@ -2,7 +2,9 @@ set -euo pipefail #find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES -sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.json' | tee ./FILES +# NOTE: the name / extension varies dependecin on user input. +# Here's I'm assuming it's .sbom. +sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.sbom' | tee ./FILES attestations=() n=$(wc -l <./FILES) From 0395bbf4de278bc0115c9c2feb02c0160294d8de Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 8 Feb 2023 19:02:25 +0000 Subject: [PATCH 52/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/generate-layout.sh | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh index 85422317..5ae3814d 100755 --- a/internal/sbom-wrapper/generate-layout.sh +++ b/internal/sbom-wrapper/generate-layout.sh @@ -1,10 +1,10 @@ #!/bin/bash set -euo pipefail -#find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES +find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES # NOTE: the name / extension varies dependecin on user input. # Here's I'm assuming it's .sbom. -sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.sbom' | tee ./FILES +#sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.sbom' | tee ./FILES attestations=() n=$(wc -l <./FILES) @@ -15,21 +15,15 @@ while IFS= read -r line; do echo "SBOM file: $file" hash=$(sha256sum "$file" | awk '{print $1}') subject_name=$(basename "$(readlink -m "$file")") - read -r -d '' entry <<- EOM - { - "name": "$subject_name", - "digest": - { - "sha256": "$hash" - } - } -EOM + template='{"name": "%s", "digest": {"sha256": "%s"}}' + printf -v entry "$template" "$subject_name" "$hash" + if [[ $i -eq $n ]]; then attestations+=("$entry") else attestations+=("$entry,") fi - + i=$((i+1)) done < FILES @@ -40,7 +34,7 @@ cat <DATA [ { "name": "attestation.intoto", - "subjects": + "subjects": [ ${attestations[@]} ] @@ -52,4 +46,4 @@ EOF jq "$SLSA_OUTPUTS_ARTIFACTS_FILE" \ No newline at end of file +cat DATA > "$SLSA_OUTPUTS_ARTIFACTS_FILE" From 9e7f50d52c2a562f56d852d9afa6d68627dff951 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 8 Feb 2023 19:04:43 +0000 Subject: [PATCH 53/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/generate-layout.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh index 5ae3814d..a16544a2 100755 --- a/internal/sbom-wrapper/generate-layout.sh +++ b/internal/sbom-wrapper/generate-layout.sh @@ -1,10 +1,11 @@ #!/bin/bash set -euo pipefail -find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES +# Local test. +#find sboms/ -maxdepth 2 -regex 'sboms/sbom-action-.*/*.json' > FILES # NOTE: the name / extension varies dependecin on user input. # Here's I'm assuming it's .sbom. -#sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.sbom' | tee ./FILES +sudo find /tmp/ -maxdepth 2 -regex '/tmp/sbom-action-.*/*.sbom' | tee ./FILES attestations=() n=$(wc -l <./FILES) From 63f08c2f6d26e8c3d4eca61dd312e725fb668a6a Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 8 Feb 2023 19:13:26 +0000 Subject: [PATCH 54/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/generate-layout.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/sbom-wrapper/generate-layout.sh b/internal/sbom-wrapper/generate-layout.sh index a16544a2..befcd7dc 100755 --- a/internal/sbom-wrapper/generate-layout.sh +++ b/internal/sbom-wrapper/generate-layout.sh @@ -28,13 +28,14 @@ while IFS= read -r line; do i=$((i+1)) done < FILES +# NOTE: the name of the attestation should be configurable. cat <DATA { "version": 1, "attestations": [ { - "name": "attestation.intoto", + "name": "attestation.sbom.intoto", "subjects": [ ${attestations[@]} From 83f223dde227828f5d97653a14f708b472f2e656 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 6 Mar 2023 20:47:52 +0000 Subject: [PATCH 55/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index af994ed3..4e70d7a7 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -112,7 +112,7 @@ jobs: slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1575): mask sensitive fields. - slsa-workflow-inputs: ${{ toJson(inputs) }} + slsa-workflow-inputs: ${{ toJson(on.workflow_call.inputs) }} slsa-run: needs: [slsa-setup] From 6333a31a484a9ae6100264ee569a7f3003dacfc8 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 6 Mar 2023 20:50:07 +0000 Subject: [PATCH 56/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 4e70d7a7..af994ed3 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -112,7 +112,7 @@ jobs: slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1575): mask sensitive fields. - slsa-workflow-inputs: ${{ toJson(on.workflow_call.inputs) }} + slsa-workflow-inputs: ${{ toJson(inputs) }} slsa-run: needs: [slsa-setup] From 3910c168ba5e68f197e1756d7f57237f4d4f5fbc Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 6 Mar 2023 22:41:16 +0000 Subject: [PATCH 57/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index af994ed3..9934509f 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -1,4 +1,4 @@ -name: Anchor SLSA3 SBOM builder +name: Anchore SLSA3 SBOM builder permissions: contents: read From 3d7a2997e55f3f36789b031d69e8550194b51fa8 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 8 Mar 2023 17:56:44 +0000 Subject: [PATCH 58/79] update Signed-off-by: laurentsimon --- package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7fc8ff6a..a3fc5ad7 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4838,9 +4838,9 @@ "dev": true }, "node_modules/http-cache-semantics": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz", - "integrity": "sha512-carPklcUh7ROWRK7Cv27RPtdhYhUsela/ue5/jKzjegVvXDqM2ILE9Q2BGn9JZJh1g87cp56su/FgQSzcWS8cQ==" + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz", + "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==" }, "node_modules/http-proxy-agent": { "version": "5.0.0", @@ -14134,9 +14134,9 @@ "dev": true }, "http-cache-semantics": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz", - "integrity": "sha512-carPklcUh7ROWRK7Cv27RPtdhYhUsela/ue5/jKzjegVvXDqM2ILE9Q2BGn9JZJh1g87cp56su/FgQSzcWS8cQ==" + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz", + "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==" }, "http-proxy-agent": { "version": "5.0.0", From c4a456d15feec15e7e82c4a320bf8eff36233723 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Mar 2023 19:53:30 +0000 Subject: [PATCH 59/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 9934509f..c7a0831e 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -111,8 +111,8 @@ jobs: slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public == 'true' }} slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" - # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1575): mask sensitive fields. slsa-workflow-inputs: ${{ toJson(inputs) }} + slsa-workflow-masked-inputs: registry-username slsa-run: needs: [slsa-setup] From b4fe94920909a4ad522c36f36c435cda6f9f7d8e Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:39:10 -0700 Subject: [PATCH 60/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index c7a0831e..50ef83e4 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -105,14 +105,16 @@ jobs: steps: - name: Generate the token id: generate - uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main + uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@v1.5.0 + #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public == 'true' }} slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" slsa-workflow-inputs: ${{ toJson(inputs) }} - slsa-workflow-masked-inputs: registry-username + # TODO: re-enable when new version is cut + #slsa-workflow-masked-inputs: registry-username slsa-run: needs: [slsa-setup] @@ -120,7 +122,8 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From 02d34b03cea6f2ca7bc202fa99061cc485aa289e Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:46:35 -0700 Subject: [PATCH 61/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 50ef83e4..f5b5d00f 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -105,8 +105,8 @@ jobs: steps: - name: Generate the token id: generate - uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@v1.5.0 - #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main + #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@v1.5.0 + uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public == 'true' }} @@ -114,7 +114,7 @@ jobs: slsa-build-action-path: "./internal/sbom-wrapper" slsa-workflow-inputs: ${{ toJson(inputs) }} # TODO: re-enable when new version is cut - #slsa-workflow-masked-inputs: registry-username + slsa-workflow-masked-inputs: registry-username slsa-run: needs: [slsa-setup] @@ -122,8 +122,8 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write - #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From f30de76c1403d8a449b5cf64b217c287a1fbd07d Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:50:52 -0700 Subject: [PATCH 62/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index f5b5d00f..523b8895 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -105,7 +105,6 @@ jobs: steps: - name: Generate the token id: generate - #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@v1.5.0 uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" @@ -113,7 +112,6 @@ jobs: slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" slsa-workflow-inputs: ${{ toJson(inputs) }} - # TODO: re-enable when new version is cut slsa-workflow-masked-inputs: registry-username slsa-run: From ab7353789f23d8839554a20ffca24afc5a75f2b4 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:52:03 -0700 Subject: [PATCH 63/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 523b8895..ffec35a4 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -108,7 +108,7 @@ jobs: uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" - slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public == 'true' }} + slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public }} slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/sbom-wrapper" slsa-workflow-inputs: ${{ toJson(inputs) }} From 567bb9e7a0233243943e88c1078f9d64178f5cf4 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:53:13 -0700 Subject: [PATCH 64/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index ffec35a4..73cfaf23 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -120,8 +120,8 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main - #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 + #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From 1f3e31a80c5ffbc09b5e624f5cde3892aeb59655 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 3 Apr 2023 19:08:17 -0700 Subject: [PATCH 65/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 73cfaf23..ffec35a4 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -120,8 +120,8 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write - #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From b4aa49e2e55dedfb6dfbdc726cf0fe72a311982f Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 3 Apr 2023 19:12:55 -0700 Subject: [PATCH 66/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index ffec35a4..542e89f2 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -67,20 +67,26 @@ on: dependency-snapshot: required: false description: "Upload to GitHub dependency snapshot API" - default: "false" - type: string + default: false + type: boolean + #default: "false" + #type: string upload-artifact: required: false description: "Upload artifact to workflow" - default: "true" - type: string + default: true + type: boolean + #default: "true" + #type: string upload-release-assets: required: false description: "Upload release assets" - default: "true" - type: string + default: true + type: boolean +# default: "true" +# type: string slsa-rekor-log-public: description: "Allow publication of your repository name on the public Rekor log" From 01a021f42f6678fcd3788497187c7bc7b5b27544 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 3 Apr 2023 19:23:17 -0700 Subject: [PATCH 67/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 542e89f2..45d94f62 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -126,7 +126,7 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/byob-diffinputs #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} From 6ff6c771c862f079bb558a026d70cdebaed43700 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 3 Apr 2023 19:24:21 -0700 Subject: [PATCH 68/79] Update slsa3.yml --- .github/workflows/slsa3.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 45d94f62..9ec20636 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -126,7 +126,8 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/byob-diffinputs + #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/byob-diffinputs #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} From cf299f7a7746a09646f61fec7af615b8e5da68d6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 16:27:22 +0000 Subject: [PATCH 69/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 9ec20636..542e89f2 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -126,8 +126,7 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write - #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main - uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/byob-diffinputs + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} From 62ca08c38568e5facdf2917ea8b2c540613b0c8c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 16:29:25 +0000 Subject: [PATCH 70/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 542e89f2..09a9345e 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -126,6 +126,7 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. packages: write + actions: read uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: From 296cf4307e5df755c3b38a69fb8d3790230132e6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 16:44:32 +0000 Subject: [PATCH 71/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 09a9345e..b379314c 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -111,7 +111,9 @@ jobs: steps: - name: Generate the token id: generate - uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main + # Temporary fix because @main has a slsa version mismatch + uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@feat/slsa-version + #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public }} From 29f936b25adc3c7a47a3856135166fd5f78f2eb7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 16:47:26 +0000 Subject: [PATCH 72/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index b379314c..20fc617d 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -112,7 +112,7 @@ jobs: - name: Generate the token id: generate # Temporary fix because @main has a slsa version mismatch - uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@feat/slsa-version + uses: laurentsimon/slsa-github-generator/actions/delegator/setup-token@feat/slsa-version #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" From 48abe6f62d255b147231962d92fac635434d5a88 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 17:09:31 +0000 Subject: [PATCH 73/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 20fc617d..7d160455 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -111,7 +111,7 @@ jobs: steps: - name: Generate the token id: generate - # Temporary fix because @main has a slsa version mismatch + # TODO(https://github.com/slsa-framework/slsa-github-generator/pull/2155): use @main to test. uses: laurentsimon/slsa-github-generator/actions/delegator/setup-token@feat/slsa-version #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: @@ -129,7 +129,8 @@ jobs: contents: write # For asset uploads. packages: write actions: read - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + # TODO(https://github.com/slsa-framework/slsa-github-generator/pull/2155): use @main to test. + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/slsa-version #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} From 6c0cca44273d6080d63e2860ac1dc012f2aa7f28 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 17:16:44 +0000 Subject: [PATCH 74/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 7d160455..0ffa8d72 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -130,7 +130,7 @@ jobs: packages: write actions: read # TODO(https://github.com/slsa-framework/slsa-github-generator/pull/2155): use @main to test. - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/slsa-version + uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/slsa-version #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} From 122dff631b4b2662512e24f43d2628631f202a3c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 17:20:04 +0000 Subject: [PATCH 75/79] update Signed-off-by: laurentsimon --- internal/sbom-wrapper/action.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/internal/sbom-wrapper/action.yml b/internal/sbom-wrapper/action.yml index ad0a0851..373e1d00 100644 --- a/internal/sbom-wrapper/action.yml +++ b/internal/sbom-wrapper/action.yml @@ -22,6 +22,21 @@ inputs: description: 'secret2 stores the github-token' type: string required: false + + # Unused secret inputs. + slsa-workflow-secret3: {} + slsa-workflow-secret4: {} + slsa-workflow-secret5: {} + slsa-workflow-secret6: {} + slsa-workflow-secret7: {} + slsa-workflow-secret8: {} + slsa-workflow-secret9: {} + slsa-workflow-secret10: {} + slsa-workflow-secret11: {} + slsa-workflow-secret12: {} + slsa-workflow-secret13: {} + slsa-workflow-secret14: {} + slsa-workflow-secret15: {} runs: using: 'composite' From bdbc54aac8103a6f11fbd31a1436f308678b8ffa Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 17:46:38 +0000 Subject: [PATCH 76/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 0ffa8d72..67f3462d 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -111,9 +111,7 @@ jobs: steps: - name: Generate the token id: generate - # TODO(https://github.com/slsa-framework/slsa-github-generator/pull/2155): use @main to test. - uses: laurentsimon/slsa-github-generator/actions/delegator/setup-token@feat/slsa-version - #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main + uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public }} @@ -129,9 +127,7 @@ jobs: contents: write # For asset uploads. packages: write actions: read - # TODO(https://github.com/slsa-framework/slsa-github-generator/pull/2155): use @main to test. - uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/slsa-version - #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From a909f08cd42ee35362d62828deb55ec3d6af67df Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 18:04:15 +0000 Subject: [PATCH 77/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 67f3462d..bb88bfca 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -127,7 +127,8 @@ jobs: contents: write # For asset uploads. packages: write actions: read - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main + uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@fix/v1-gen with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From affff9e28e0833f1d0eb0f25f10804e74b31b72a Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 18:07:31 +0000 Subject: [PATCH 78/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index bb88bfca..9c8335a6 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -111,7 +111,8 @@ jobs: steps: - name: Generate the token id: generate - uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main + #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main + uses: laurentsimon/slsa-github-generator/actions/delegator/setup-token@feat/slsa-version with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public }} @@ -128,7 +129,7 @@ jobs: packages: write actions: read #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main - uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@fix/v1-gen + uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/slsa-version with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: From 3a4d2bc54046b44d35b6f22d3224e59bfc1d710c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 19:18:42 +0000 Subject: [PATCH 79/79] update Signed-off-by: laurentsimon --- .github/workflows/slsa3.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/slsa3.yml b/.github/workflows/slsa3.yml index 9c8335a6..67f3462d 100644 --- a/.github/workflows/slsa3.yml +++ b/.github/workflows/slsa3.yml @@ -111,8 +111,7 @@ jobs: steps: - name: Generate the token id: generate - #uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main - uses: laurentsimon/slsa-github-generator/actions/delegator/setup-token@feat/slsa-version + uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-rekor-log-public: ${{ inputs.slsa-rekor-log-public }} @@ -128,8 +127,7 @@ jobs: contents: write # For asset uploads. packages: write actions: read - #uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main - uses: laurentsimon/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@feat/slsa-version + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} secrets: