|
1 | 1 | # input: "build" object (with "buildId" top level key) |
2 | | -# output: array of image tags |
| 2 | +# output: list of image tags |
3 | 3 | def tags: |
4 | | - .source.arches[].tags[], |
5 | | - .source.arches[].archTags[], |
6 | | - .build.img |
7 | | -; |
8 | | - |
9 | | -# input: "build" object (with "buildId" top level key) |
10 | | -# output: purl platform query string |
11 | | -def platform_string: |
12 | | - .source.arches[].platformString | gsub("/"; "%2F") |
| 4 | + [ |
| 5 | + .source.arches[].tags[], |
| 6 | + .source.arches[].archTags[], |
| 7 | + .build.img |
| 8 | + ] |
13 | 9 | ; |
14 | 10 |
|
15 | 11 | # input: "tags" object with image digest and platform arguments |
16 | 12 | # output: json object for in-toto provenance subject field |
17 | 13 | def subjects($platform; $digest): |
18 | | - { |
19 | | - "name": ("pkg:docker/" + . + "?platform=" + $platform), |
20 | | - "digest": { |
21 | | - "sha256": $digest |
22 | | - } |
23 | | - } |
| 14 | + ($digest | split(":")) as $splitDigest |
| 15 | + | { |
| 16 | + "name": "pkg:docker/\(.)?platform=\($platform)", |
| 17 | + "digest": { |
| 18 | + ($splitDigest[0]): $splitDigest[1], |
| 19 | + } |
| 20 | + } |
24 | 21 | ; |
25 | 22 |
|
26 | | -# input: GITHUB context argument |
| 23 | +# input: GITHUB context |
27 | 24 | # output: json object for in-toto provenance external parameters field |
28 | | -def github_external_parameters($context): |
29 | | -($context.workflow_ref | gsub( $context.repository + "/"; "")) as $workflowPathRef | |
30 | | -{ |
31 | | - inputs: $context.event.inputs, |
32 | | - workflow: { |
33 | | - ref: ($workflowPathRef | split("@")[1]), |
34 | | - repository: ($context.server_url + "/" + $context.repository), |
35 | | - path: ($workflowPathRef | split("@")[0]), |
36 | | - digest: {sha256: $context.workflow_sha} |
37 | | - } |
38 | | -} |
39 | | -; |
40 | | - |
41 | | -# input: GITHUB context argument |
42 | | -# output: json object for in-toto provenance internal parameters field |
43 | | -def github_internal_parameters($context): |
44 | | -{ |
45 | | - github: { |
46 | | - event_name: $context.event_name, |
47 | | - repository_id: $context.repository_id, |
48 | | - repository_owner_id: $context.repository_owner_id, |
49 | | - } |
50 | | -} |
| 25 | +def github_external_parameters($github): |
| 26 | + ($github.workflow_ref | ltrimstr($github.repository + "/") | split("@")) as $workflowRefSplit |
| 27 | + | { |
| 28 | + inputs: $github.event.inputs, |
| 29 | + workflow: { |
| 30 | + ref: $workflowRefSplit[1], |
| 31 | + repository: ($github.server_url + "/" + $github.repository), |
| 32 | + path: $workflowRefSplit[0], |
| 33 | + digest: { gitCommit: $github.workflow_sha }, |
| 34 | + } |
| 35 | + } |
51 | 36 | ; |
52 | 37 |
|
53 | | -# input: "tags" object with platform, image digest and GITHUB context arguments |
| 38 | +# input: "build" object with platform and image digest |
54 | 39 | # output: json object for in-toto provenance statement |
55 | | -def github_actions_provenance($platform; $digest; $context): |
56 | | -{ |
57 | | - _type: "https://in-toto.io/Statement/v1", |
58 | | - subject: . | map(subjects($platform; $digest)), |
59 | | - predicateType: "https://slsa.dev/provenance/v1", |
60 | | - predicate: { |
61 | | - buildDefinition: { |
62 | | - buildType: "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1", |
63 | | - externalParameters: github_external_parameters($context), |
64 | | - internalParameters: github_internal_parameters($context), |
65 | | - resolvedDependencies: [{ |
66 | | - uri: ("git+"+$context.server_url+"/"+$context.repository+"@"+$context.ref), |
67 | | - digest: { "gitCommit": $context.sha } |
68 | | - }] |
69 | | - }, |
70 | | - runDetails: { |
71 | | - builder: { |
72 | | - id: ($context.server_url+"/"+$context.workflow_ref), |
73 | | - }, |
74 | | - metadata: { |
75 | | - invocationId: ($context.server_url+"/"+$context.repository+"/actions/runs/"+$context.run_id+"/attempts/"+$context.run_attempt), |
76 | | - } |
77 | | - } |
78 | | - } |
79 | | -} |
| 40 | +def github_actions_provenance: |
| 41 | + (env.GITHUB_CONTEXT | fromjson) as $github | |
| 42 | + (.source.arches[].platformString | @uri) as $platform | |
| 43 | + { |
| 44 | + _type: "https://in-toto.io/Statement/v1", |
| 45 | + subject: . | tags | map(subjects($platform; $digest)), |
| 46 | + predicateType: "https://slsa.dev/provenance/v1", |
| 47 | + predicate: { |
| 48 | + buildDefinition: { |
| 49 | + buildType: "https://actions.github.io/buildtypes/workflow/v1", |
| 50 | + externalParameters: github_external_parameters($github), |
| 51 | + internalParameters: { |
| 52 | + github: { |
| 53 | + event_name: $github.event_name, |
| 54 | + repository_id: $github.repository_id, |
| 55 | + repository_owner_id: $github.repository_owner_id, |
| 56 | + runner_environment: "github-hosted" |
| 57 | + } |
| 58 | + }, |
| 59 | + resolvedDependencies: [{ |
| 60 | + uri: ("git+"+$github.server_url+"/"+$github.repository+"@"+$github.ref), |
| 61 | + digest: { "gitCommit": $github.sha } |
| 62 | + }] |
| 63 | + }, |
| 64 | + runDetails: { |
| 65 | + # builder.id identifies the transitive closure of the trusted build platform evalution. |
| 66 | + # any changes that alter security properties or build level must update this ID and rotate the signing key. |
| 67 | + # https://slsa.dev/spec/v1.0/provenance#builder |
| 68 | + builder: { |
| 69 | + id: ($github.server_url+"/"+$github.workflow_ref), |
| 70 | + }, |
| 71 | + metadata: { |
| 72 | + invocationId: ($github.server_url+"/"+$github.repository+"/actions/runs/"+$github.run_id+"/attempts/"+$github.run_attempt), |
| 73 | + } |
| 74 | + } |
| 75 | + } |
| 76 | + } |
80 | 77 | ; |
0 commit comments