Collapse more functions into main doc, add more trailing commas, minor calculation adjustments

tianon · tianon · commit 96f29bc091b0 · 2024-09-18T17:34:30.000-07:00
The primary justification for collapsing everything back into the main document (aside from there only being a single caller for each function) is that it makes verifying that we didn't miss anything easier -- as you scan the document, for each field that contains a "load-bearing" URL (first https://in-toto.io/Statement/v1, then https://slsa.dev/provenance/v1, and finally https://actions.github.io/buildtypes/workflow/v1), if you open the URL it describes the expected format, fields, and values, and with them all here and in-order, they're *much* easier to match up and validate to be correct and exhaustive. Granted, that will change over time as we shove more and more (optional) data into this document so that it includes a more complete picture, but for now, this is makes it really easy to double check our work (and the end result is no less organized; for example, the `externalParameters` are still all grouped together under a suitable heading describing what their purpose is). I also made some minor changes to the way values were calculated, especially in the `workflow` block, but very related to the above justification: now the way we calculate the values matches the way they're described in https://actions.github.io/buildtypes/workflow/v1 (specifically using the exact fields parsed in the exact ways they suggest). We will probably deviate from that over time (as suggested by a new "TODO" comment I included), but at least this way our baseline matches theirs and the delta will be easier to track. Additionally, I removed the `(env.GITHUB_CONTEXT | fromjson) as $github` line from here, because I think that's more appropriate behavior for the caller (and added back the explicit function arguments). This will be more clearly meaningful in my follow-up commit adding a basic test.
diff --git a/provenance.jq b/provenance.jq
@@ -1,77 +1,78 @@
-# input: "build" object (with "buildId" top level key)
-# output: list of image tags
-def tags:
-	[
-		.source.arches[].tags[],
-		.source.arches[].archTags[],
-		.build.img
-	]
-;
-
-# input: "tags" object with image digest and platform arguments
-# output: json object for in-toto provenance subject field
-def subjects($platform; $digest):
-	($digest | split(":")) as $splitDigest
-	| {
-		"name": "pkg:docker/\(.)?platform=\($platform)",
-		"digest": {
-			($splitDigest[0]): $splitDigest[1],
-		}
-	}
-;
-
-# input: GITHUB context
-# output: json object for in-toto provenance external parameters field
-def github_external_parameters($github):
-	($github.workflow_ref | ltrimstr($github.repository + "/") | split("@")) as $workflowRefSplit
-	| {
-		inputs: $github.event.inputs,
-		workflow: {
-			ref: $workflowRefSplit[1],
-			repository: ($github.server_url + "/" + $github.repository),
-			path: $workflowRefSplit[0],
-			digest: { gitCommit: $github.workflow_sha },
-		}
-	}
-;
-
 # input: "build" object with platform and image digest
-# output: json object for in-toto provenance statement
-def github_actions_provenance:
-	(env.GITHUB_CONTEXT | fromjson) as $github |
-	(.source.arches[].platformString | @uri) as $platform |
-	{
-		_type: "https://in-toto.io/Statement/v1",
-		subject: . | tags | map(subjects($platform; $digest)),
-		predicateType: "https://slsa.dev/provenance/v1",
-		predicate: {
-			buildDefinition: {
-				buildType: "https://actions.github.io/buildtypes/workflow/v1",
-				externalParameters: github_external_parameters($github),
-				internalParameters: {
-					github: {
-						event_name: $github.event_name,
-						repository_id: $github.repository_id,
-						repository_owner_id: $github.repository_owner_id,
-						runner_environment: "github-hosted"
-					}
+#   $github: "github" context; CONTAINS SENSITIVE INFORMATION (https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context)
+#   $digest: the OCI image digest for the just-built image (normally in .build.resolved.annotations["org.opencontainers.image.ref.name"] but only post-push/regeneration and we haven't pushed yet)
+#
+# output: in-toto provenance statement (https://slsa.dev/spec/v1.0/provenance)
+#   see also: https://github.com/actions/buildtypes/tree/main/workflow/v1
+def github_actions_provenance($github; $digest):
+	if $github.event_name != "workflow_dispatch" then error("error: '\($github.event_name)' is not a supported event type for provenance generation") else
+		{
+			_type: "https://in-toto.io/Statement/v1",
+			subject: [
+				($digest | split(":")) as $splitDigest
+				| (.source.arches[.build.arch].platformString) as $platform
+				| (
+					.source.arches[.build.arch].tags[],
+					.source.arches[.build.arch].archTags[],
+					.build.img,
+					empty # trailing comma
+				)
+				| {
+					# https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
+					name: "pkg:docker/\(.)?platform=\($platform | @uri)",
+					digest: { ($splitDigest[0]): $splitDigest[1] },
+				}
+			],
+			predicateType: "https://slsa.dev/provenance/v1",
+			predicate: {
+				buildDefinition: {
+					buildType: "https://actions.github.io/buildtypes/workflow/v1",
+					externalParameters: {
+						workflow: {
+							# TODO this matches how this is documented/suggested in GitHub's buildType documentation, but does not account for the workflow file being in a separate repository at a separate ref from the "source" (which the "workflow_ref" field *does* account for), so that would/will change how we need to calculate these values if we ever do that (something like "^(?<repo>[^/]+/[^/]+)/(?<path>.*)@(?<ref>refs/.*)$" on $github.workflow_ref ?)
+							ref: $github.ref,
+							repository: ($github.server_url + "/" + $github.repository),
+							path: (
+								$github.workflow_ref
+								| ltrimstr($github.repository + "/")
+								| rtrimstr("@" + $github.ref)
+								| if contains("@") then error("parsing 'workflow_ref' failed: '\(.)'") else . end
+							),
+							# not required, but useful/important (and potentially but unlikely different from $github.sha used in resolvedDependencies below):
+							digest: { gitCommit: $github.workflow_sha },
+						},
+						inputs: $github.event.inputs, # https://docs.github.com/en/webhooks/webhook-events-and-payloads#workflow_dispatch
+					},
+					internalParameters: {
+						github: {
+							event_name: $github.event_name,
+							repository_id: $github.repository_id,
+							repository_owner_id: $github.repository_owner_id,
+							runner_environment: "github-hosted",
+						},
+					},
+					resolvedDependencies: [
+						{
+							uri: "git+\($github.server_url)/\($github.repository)@\($github.ref)",
+							digest: { "gitCommit": $github.sha },
+						},
+						# TODO figure out a way to include resolved action SHAs from "uses:" expressions
+						# TODO include more resolved dependencies
+						empty # tailing comma
+					],
 				},
-				resolvedDependencies: [{
-					uri: ("git+"+$github.server_url+"/"+$github.repository+"@"+$github.ref),
-					digest: { "gitCommit": $github.sha }
-				}]
-			},
-			runDetails: {
-				# builder.id identifies the transitive closure of the trusted build platform evalution.
-				# any changes that alter security properties or build level must update this ID and rotate the signing key.
-				# https://slsa.dev/spec/v1.0/provenance#builder
-				builder: {
-					id: ($github.server_url+"/"+$github.workflow_ref),
+				runDetails: {
+					# builder.id identifies the transitive closure of the trusted build platform evalution.
+					# any changes that alter security properties or build level must update this ID and rotate the signing key.
+					# https://slsa.dev/spec/v1.0/provenance#builder
+					builder: {
+						id: ($github.server_url + "/" + $github.workflow_ref),
+					},
+					metadata: {
+						invocationId: "\($github.server_url)/\($github.repository)/actions/runs/\($github.run_id)/attempts/\($github.run_attempt)",
+					},
 				},
-				metadata: {
-					invocationId: ($github.server_url+"/"+$github.repository+"/actions/runs/"+$github.run_id+"/attempts/"+$github.run_attempt),
-				}
-			}
+			},
 		}
-	}
+	end
 ;
