Add a basic test of the provenance (both amd64 and windows, to illustrate/validate the inputs variance)

tianon · tianon · commit ad28b37e8825 · 2024-09-18T17:34:51.000-07:00
diff --git a/.test/provenance/in.json b/.test/provenance/in.json
@@ -0,0 +1 @@
+../builds.json
diff --git a/.test/provenance/out.json b/.test/provenance/out.json
@@ -0,0 +1,271 @@
+[
+	{
+		"_type": "https://in-toto.io/Statement/v1",
+		"subject": [
+			{
+				"name": "pkg:docker/docker:24.0.7-cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24.0-cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24-cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/amd64/docker:24.0.7-cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/amd64/docker:24.0-cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/amd64/docker:24-cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/amd64/docker:cli?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/amd64/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			},
+			{
+				"name": "pkg:docker/oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43?platform=linux%2Famd64",
+				"digest": {
+					"sha256": "153793dfbac130679ad1eebd9e88b3772c47d3903a3f299c49d5c3f23a6e35d2"
+				}
+			}
+		],
+		"predicateType": "https://slsa.dev/provenance/v1",
+		"predicate": {
+			"buildDefinition": {
+				"buildType": "https://actions.github.io/buildtypes/workflow/v1",
+				"externalParameters": {
+					"workflow": {
+						"ref": "refs/heads/subset",
+						"repository": "https://github.com/docker-library/meta",
+						"path": ".github/workflows/build.yml",
+						"digest": {
+							"gitCommit": "0123456789abcdef0123456789abcdef01234567"
+						}
+					},
+					"inputs": {
+						"buildId": "4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43",
+						"bashbrewArch": "amd64",
+						"firstTag": "docker:24.0.7-cli"
+					}
+				},
+				"internalParameters": {
+					"github": {
+						"event_name": "workflow_dispatch",
+						"repository_id": "1234",
+						"repository_owner_id": "5678",
+						"runner_environment": "github-hosted"
+					}
+				},
+				"resolvedDependencies": [
+					{
+						"uri": "git+https://github.com/docker-library/meta@refs/heads/subset",
+						"digest": {
+							"gitCommit": "0123456789abcdef0123456789abcdef01234567"
+						}
+					}
+				]
+			},
+			"runDetails": {
+				"builder": {
+					"id": "https://github.com/docker-library/meta/.github/workflows/build.yml@refs/heads/subset"
+				},
+				"metadata": {
+					"invocationId": "https://github.com/docker-library/meta/actions/runs/9001/attempts/2"
+				}
+			}
+		}
+	},
+	{
+		"_type": "https://in-toto.io/Statement/v1",
+		"subject": [
+			{
+				"name": "pkg:docker/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24.0.7-windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24.0-windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:24-windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/docker:windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:windowsservercore-ltsc2022?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:24.0.7-windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:24.0-windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:24-windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/winamd64/docker:windowsservercore?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			},
+			{
+				"name": "pkg:docker/oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e?platform=windows%2Famd64",
+				"digest": {
+					"sha256": "69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"
+				}
+			}
+		],
+		"predicateType": "https://slsa.dev/provenance/v1",
+		"predicate": {
+			"buildDefinition": {
+				"buildType": "https://actions.github.io/buildtypes/workflow/v1",
+				"externalParameters": {
+					"workflow": {
+						"ref": "refs/heads/subset",
+						"repository": "https://github.com/docker-library/meta",
+						"path": ".github/workflows/build.yml",
+						"digest": {
+							"gitCommit": "0123456789abcdef0123456789abcdef01234567"
+						}
+					},
+					"inputs": {
+						"buildId": "9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e",
+						"bashbrewArch": "windows-amd64",
+						"firstTag": "docker:24.0.7-windowsservercore-ltsc2022",
+						"windowsVersion": "2022"
+					}
+				},
+				"internalParameters": {
+					"github": {
+						"event_name": "workflow_dispatch",
+						"repository_id": "1234",
+						"repository_owner_id": "5678",
+						"runner_environment": "github-hosted"
+					}
+				},
+				"resolvedDependencies": [
+					{
+						"uri": "git+https://github.com/docker-library/meta@refs/heads/subset",
+						"digest": {
+							"gitCommit": "0123456789abcdef0123456789abcdef01234567"
+						}
+					}
+				]
+			},
+			"runDetails": {
+				"builder": {
+					"id": "https://github.com/docker-library/meta/.github/workflows/build.yml@refs/heads/subset"
+				},
+				"metadata": {
+					"invocationId": "https://github.com/docker-library/meta/actions/runs/9001/attempts/2"
+				}
+			}
+		}
+	}
+]
diff --git a/.test/provenance/test.jq b/.test/provenance/test.jq
@@ -0,0 +1,29 @@
+include "provenance";
+include "jenkins";
+
+[
+	first(.[] | select(.build.arch == "amd64" and .build.resolved)),
+	first(.[] | select(.build.arch == "windows-amd64" and .build.resolved)),
+	empty # trailing comma
+
+	| (.build.resolved.annotations["org.opencontainers.image.ref.name"] | split("@")[1]) as $digest
+
+	# some faked GitHub event data so we can ~test the provenance generation
+	| gha_payload as $payload
+	| {
+		event: $payload,
+		event_name: "workflow_dispatch",
+		ref: "refs/heads/\($payload.ref)",
+		repository: "docker-library/meta",
+		repository_id: "1234",
+		repository_owner_id: "5678",
+		run_attempt: "2",
+		run_id: "9001",
+		server_url: "https://github.com",
+		sha: "0123456789abcdef0123456789abcdef01234567",
+		workflow_ref: "docker-library/meta/.github/workflows/build.yml@refs/heads/\($payload.ref)",
+		workflow_sha: "0123456789abcdef0123456789abcdef01234567",
+	} as $github
+
+	| github_actions_provenance($github; $digest)
+]
