feat: Record vars in SLSA generators (#3633)

ianlewis · web-flow · commit 40c607fde64a · 2024-05-23T08:51:19.000Z
# Summary Records the GitHub [vars context](https://docs.github.com/en/actions/learn-github-actions/contexts#vars-context) in the SLSA invocation in the generic generator and container generator. The `vars` context is passed to the "builder" binary as a JSON blob via the `GITHUB_VARS` environment variable. The values are then recorded in the `invocation.parameters.vars` field of the provenance predicate. Masking of inputs or vars is not supported. Note that the `vars` context is set to the variables for the *repository that initiated the GitHub Actions run* and not the reusable workflow's repository. Updates #1555 ## Testing Process - Set a variable on the test repo - Go to Settings -> Secrets & variables -> Actions and then click on the Variables tab. - Set some test variables. - Generate provenance as normal using the generic generator or container generator - Note that the `compile-generator: true` input must be set. - Examine the `invocation.parameters.vars` field in the resulting provenance. The vars should be recorded there. ## Checklist - [x] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [x] Update documentation if applicable (added #3627 to track) - [x] Add unit tests if applicable. - [x] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. --------- Signed-off-by: Ian Lewis <ianmlewis@gmail.com> Signed-off-by: Ian Lewis <ianlewis@google.com>
diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml
@@ -266,6 +266,7 @@ jobs:
           UNTRUSTED_IMAGE: "${{ inputs.image }}"
           UNTRUSTED_DIGEST: "${{ inputs.digest }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
+          VARS_CONTEXT: "${{ toJSON(vars) }}"
           UNTRUSTED_PROVENANCE_REPOSITORY: "${{ inputs.provenance-repository }}"
         run: |
           set -euo pipefail
diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml
@@ -218,6 +218,7 @@ jobs:
         # See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
         env:
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
+          VARS_CONTEXT: "${{ toJSON(vars) }}"
           UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}"
         run: |
           set -euo pipefail
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- toc -->
 
+- [Unreleased](#unreleased)
+  - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
 - [v2.0.0](#v200)
   - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
   - [v2.0.0: Breaking Change: attestation-name Workflow Input and Output](#v200-breaking-change-attestation-name-workflow-input-and-output)
@@ -102,6 +104,14 @@ Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name
 duplication."
 -->
 
+## Unreleased
+
+### Unreleased: Vars context recorded in provenance
+
+- **Updated**: GitHub `vars` context is now recorded in provenance for the generic and
+  container generators. The `vars` context cannot affect the build in the Go
+  builder so it is not recorded.
+
 ## v2.0.0
 
 ### v2.0.0: Breaking Change: upload-artifact and download-artifact
diff --git a/github/workflow.go b/github/workflow.go
@@ -23,8 +23,26 @@ import (
 
 const (
 	githubContextEnvKey = "GITHUB_CONTEXT"
+	varsContextEnvKey   = "VARS_CONTEXT"
 )
 
+// VarsContext is the `vars` context.
+//
+// See: https://docs.github.com/en/actions/learn-github-actions/contexts#vars-context
+type VarsContext map[string]string
+
+// GetVarsContext returns the current GitHub Actions 'vars' context.
+func GetVarsContext() (VarsContext, error) {
+	v := VarsContext(make(map[string]string))
+	varsContext, ok := os.LookupEnv(varsContextEnvKey)
+	if !ok {
+		return v, fmt.Errorf("%s environment variable not set", varsContextEnvKey)
+	}
+
+	err := json.Unmarshal([]byte(varsContext), &v)
+	return v, err
+}
+
 // WorkflowContext is the `github` context given to workflows that contains
 // information about the GitHub Actions workflow run.
 //
@@ -70,7 +88,7 @@ func GetWorkflowContext() (WorkflowContext, error) {
 	w := WorkflowContext{}
 	ghContext, ok := os.LookupEnv(githubContextEnvKey)
 	if !ok {
-		return w, errors.New("GITHUB_CONTEXT environment variable not set")
+		return w, fmt.Errorf("%s environment variable not set", githubContextEnvKey)
 	}
 
 	err := json.Unmarshal([]byte(ghContext), &w)
diff --git a/internal/builders/container/generate.go b/internal/builders/container/generate.go
@@ -41,11 +41,14 @@ that it is being run in the context of a Github Actions workflow.`,
 			ghContext, err := github.GetWorkflowContext()
 			check(err)
 
+			varsContext, err := github.GetVarsContext()
+			check(err)
+
 			ctx := context.Background()
 
 			b := common.GenericBuild{
 				// NOTE: Subjects are nil because we are only writing the predicate.
-				GithubActionsBuild: slsa.NewGithubActionsBuild(nil, &ghContext),
+				GithubActionsBuild: slsa.NewGithubActionsBuild(nil, &ghContext, varsContext),
 				BuildTypeURI:       containerBuildType,
 			}
 
diff --git a/internal/builders/container/generate_test.go b/internal/builders/container/generate_test.go
@@ -35,6 +35,7 @@ func checkTest(t *testing.T) func(err error) {
 
 func Test_generateCmd_default_predicate(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -69,6 +70,7 @@ func Test_generateCmd_default_predicate(t *testing.T) {
 
 func Test_generateCmd_custom_predicate(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -104,6 +106,7 @@ func Test_generateCmd_custom_predicate(t *testing.T) {
 
 func Test_generateCmd_invalid_path(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go
@@ -51,6 +51,9 @@ run in the context of a Github Actions workflow.`,
 			ghContext, err := github.GetWorkflowContext()
 			check(err)
 
+			varsContext, err := github.GetVarsContext()
+			check(err)
+
 			subjectsBytes, err := utils.SafeReadFile(subjectsFilename)
 			check(err)
 			parsedSubjects, err := parseSubjects(string(subjectsBytes))
@@ -78,7 +81,7 @@ run in the context of a Github Actions workflow.`,
 			ctx := context.Background()
 
 			b := common.GenericBuild{
-				GithubActionsBuild: slsa.NewGithubActionsBuild(parsedSubjects, &ghContext),
+				GithubActionsBuild: slsa.NewGithubActionsBuild(parsedSubjects, &ghContext, varsContext),
 				BuildTypeURI:       provenanceOnlyBuildType,
 			}
 			if provider != nil {
diff --git a/internal/builders/generic/attest_test.go b/internal/builders/generic/attest_test.go
@@ -223,6 +223,7 @@ func createTmpFile(content string) (string, error) {
 // Test_attestCmd tests the attest command.
 func Test_attestCmd_default_single_artifact(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -265,6 +266,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) {
 
 func Test_attestCmd_default_multi_artifact(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -309,6 +311,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  artifact2`)))
 
 func Test_attestCmd_custom_provenance_name(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -352,6 +355,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) {
 
 func Test_attestCmd_invalid_extension(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -405,6 +409,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) {
 
 func Test_attestCmd_invalid_path(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -460,6 +465,7 @@ func Test_attestCmd_invalid_path(t *testing.T) {
 // subjects in subdirectories.
 func Test_attestCmd_subdirectory_artifact(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go
@@ -99,7 +99,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string,
 					"sha256": digest,
 				},
 			},
-		}, &gh),
+		}, &gh, nil),
 		buildConfig: buildConfig{
 			Version: buildConfigVersion,
 			Steps: []step{
diff --git a/internal/builders/go/pkg/provenance_test.go b/internal/builders/go/pkg/provenance_test.go
@@ -26,6 +26,7 @@ func TestGenerateProvenance_withErr(t *testing.T) {
 	// TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove
 	t.Setenv("GITHUB_EVENT_NAME", "non_event")
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 	sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2"
 	_, err := GenerateProvenance(
 		"foo", sha256, "", "", "/home/foo",
diff --git a/slsa/buildtype.go b/slsa/buildtype.go
@@ -39,7 +39,7 @@ type BuildType interface {
 	Subject(context.Context) ([]intoto.Subject, error)
 
 	// BuildConfig returns the buildConfig for this build type.
-	BuildConfig(context.Context) (interface{}, error)
+	BuildConfig(context.Context) (any, error)
 
 	// Invocation returns an invocation for this build type.
 	Invocation(context.Context) (slsa02.ProvenanceInvocation, error)
@@ -53,39 +53,49 @@ type BuildType interface {
 
 // GithubActionsBuild is a basic build type for builders running in GitHub Actions.
 type GithubActionsBuild struct {
+	// Context is the build's `github` context.
 	Context github.WorkflowContext
+	// Vars is the build's `vars` context.
+	Vars github.VarsContext
+	// Clients are the GitHub OIDC and API clients.
 	Clients ClientProvider
-	subject []intoto.Subject
+	// Subjects are the build subjects.
+	Subjects []intoto.Subject
 }
 
 // WorkflowParameters contains parameters given to the workflow invocation.
 type WorkflowParameters struct {
 	// EventInputs is the inputs for the event that triggered the workflow.
-	EventInputs interface{} `json:"event_inputs,omitempty"`
+	EventInputs any `json:"event_inputs,omitempty"`
+
+	// VarsContext includes the input parameters provided as part of the `vars`
+	// context. This includes environment and repository variables.
+	VarsContext any `json:"vars"`
 }
 
 // NewGithubActionsBuild returns a new GithubActionsBuild that uses the
 // GitHub context to generate information.
-func NewGithubActionsBuild(s []intoto.Subject, c *github.WorkflowContext) *GithubActionsBuild {
+func NewGithubActionsBuild(s []intoto.Subject, c *github.WorkflowContext, v github.VarsContext) *GithubActionsBuild {
 	return &GithubActionsBuild{
-		subject: s,
-		Context: *c,
-		Clients: &DefaultClientProvider{},
+		Subjects: s,
+		Context:  *c,
+		Vars:     v,
+		Clients:  &DefaultClientProvider{},
 	}
 }
 
 // Subject implements BuildType.Subject.
 func (b *GithubActionsBuild) Subject(context.Context) ([]intoto.Subject, error) {
-	return b.subject, nil
+	return b.Subjects, nil
 }
 
 // BuildConfig implements BuildType.BuildConfig.
-func (b *GithubActionsBuild) BuildConfig(context.Context) (interface{}, error) {
+func (b *GithubActionsBuild) BuildConfig(context.Context) (any, error) {
 	// The default build config is nil.
 	return nil, nil
 }
 
-func addEnvKeyString(m map[string]interface{}, k, v string) {
+func addEnvKeyString(m map[string]any, k, v string) {
 	// Always record the value, even if it's empty. Let
 	// the consumer/verifier decide how to interpret their meaning.
 	m[k] = v
@@ -142,7 +152,7 @@ func (b *GithubActionsBuild) Invocation(ctx context.Context) (slsa.ProvenanceInv
 
 	// Builder-controlled environment vars needed
 	// to reproduce the build.
-	env := map[string]interface{}{}
+	env := map[string]any{}
 
 	// TODO(github.com/slsa-framework/slsa-github-generator/issues/5): set "arch" in environment.
 	addEnvKeyString(env, "github_run_number", b.Context.RunNumber)
@@ -223,11 +233,16 @@ func (b *GithubActionsBuild) Invocation(ctx context.Context) (slsa.ProvenanceInv
 		}
 	}
 
+	// Parameters coming from the trigger event.
+	params := WorkflowParameters{}
+	if b.Vars != nil {
+		params.VarsContext = b.Vars
+	}
 	if b.Context.Event != nil {
-		// Parameters coming from the trigger event.
-		i.Parameters = WorkflowParameters{
-			EventInputs: b.Context.Event["inputs"],
-		}
+		params.EventInputs = b.Context.Event["inputs"]
+	}
+	if params.VarsContext != nil || params.EventInputs != nil {
+		i.Parameters = params
 	}
 
 	return i, nil
@@ -259,6 +274,8 @@ func (b *GithubActionsBuild) Metadata(context.Context) (*slsa.ProvenanceMetadata
 		metadata.BuildInvocationID = fmt.Sprintf("%s-%s", b.Context.RunID, b.Context.RunAttempt)
 	}
 
+	// NOTE: We don't check the vars context for completeness as they may not
+	// affect the build for builders.
 	if b.Context.Event != nil {
 		// Parameters come from the trigger event.
 		// If we have the event then mark parameters as complete.
diff --git a/slsa/provenance_test.go b/slsa/provenance_test.go
