Policy struct protobuf definitions (#235)

* Add buf config files

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

* Add policy protobuf definitions

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

* Add buf config

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* buf generate

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Use policy generated from proto

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add proto machinery and CI test

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

.github/workflows/go-test.yml

@@ -20,10 +20,21 @@ jobs:
           go-version: "1.24"
           check-latest: true
 
+      - name: Setup Buf
+        uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
+
+      - name: Setup protoc
+        uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # @v3.0.0
+
       - name: Run Go tests
         run: |
           go test ./sourcetool/...
 
       - name: Check generated fakes
         run: |
           hack/verify-fakes.sh
+
+      - name: Check protobuf generated codew
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+          hack/verify-protos.sh

Makefile

@@ -1,4 +1,18 @@
+BOLD :=  \033[1m
+CYAN :=  \033[36m
+GREEN := \033[32m
+WHITE := \033[37m
+RESET := \033[0m
+
+.PHONY: help
+help:
+	@printf "${BOLD}${WHITE}SLSA Source Tooling Makefile Help\n=================================${RESET}\n"
+	@grep -Eh '^[a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "${BOLD}${CYAN}%-25s${RESET}%s\n", $$1, $$2}'
+
 .PHONY: fakes
 fakes: ## Rebuild the implementation fakes
 	go generate ./sourcetool/...
 
+.PHONY: proto
+proto: ## Rebuild the policies and provenance predicate from protocol buffer definitions
+	buf generate

buf.gen.yaml

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
+# SPDX-License-Identifier: Apache-2.0
+---
+version: v2
+
+managed:
+  enabled: true
+plugins:
+  - protoc_builtin: go
+    out: ./sourcetool/pkg
+    opt: 
+      - paths=import
+      - module=github.com/slsa-framework/slsa-source-poc/sourcetool/pkg

buf.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
+# SPDX-License-Identifier: Apache-2.0
+---
+version: v2
+
+modules:
+  - path: proto/v1
+    lint:
+      except:
+        - ENUM_VALUE_PREFIX
+        - ENUM_ZERO_VALUE_SUFFIX
+        - PACKAGE_DIRECTORY_MATCH
+        - PACKAGE_VERSION_SUFFIX
+    breaking:
+      except:
+        - FILE_SAME_GO_PACKAGE
+lint:
+  use:
+    - STANDARD
+    - COMMENTS
+
+breaking:
+  use:
+    - FILE
+    - WIRE_JSON

hack/verify-protos.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+set -o xtrace
+
+source hack/common.sh
+
+make proto
+git diff --exit-code || exit_with_msg "Code from protocol definitions is not up to date. Please run 'make proto' and commit the result"

proto/v1/policy.proto

@@ -0,0 +1,51 @@
+// SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
+// SPDX-License-Identifier: Apache-2.0
+
+syntax = "proto3";
+package ampel.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/policy";
+
+// The repository policy definition
+message RepoPolicy {
+    string canonical_repo = 1 [json_name="canonical_repo"];
+	repeated ProtectedBranch protected_branches = 2 [json_name="protected_branches"];
+    optional ProtectedTag protected_tag = 3;  
+}
+
+// When a branch requires multiple controls, they must all be enabled
+// at or before 'since'.
+message ProtectedBranch {
+    string name = 1;
+    google.protobuf.Timestamp since = 2;
+    // We override this string with slsa.SlsaSourceLevel
+    string target_slsa_source_level = 3; 
+	bool require_review = 4;
+	repeated OrgStatusCheckControl org_status_check_controls = 5 [json_name="org_status_check_controls"];
+}
+
+// The controls required for protected tags.
+message ProtectedTag {
+    google.protobuf.Timestamp since = 1;
+    bool tag_hygiene = 2;
+}
+
+// Used by orgs to require that specific 'checks' are run on protected
+// branches and to associate those checks with a control name to include
+// in provenance and VSAs.
+// https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-status-checks-to-pass-before-merging
+message OrgStatusCheckControl  {
+	// The property to record in the VSA if the conditions are met.
+	// MUST start with `ORG_SOURCE_`.
+    // We'll overide this with slsa.ControlName
+    string property_name = 1;
+
+	// These controls have their own start time to enable orgs to enable
+	// new ones without violating continuity on other controls.
+	google.protobuf.Timestamp since = 2;
+
+	// The name of the 'Status Check' as reported in the GitHub UI & API.
+	string check_name = 3;
+}

sourcetool/pkg/policy/marshalers.go

@@ -0,0 +1,57 @@
+package policy
+
+import "encoding/json"
+
+func (branch *ProtectedBranch) MarshalJSON() ([]byte, error) {
+	type Alias ProtectedBranch
+	var since string
+	if branch.GetSince() != nil {
+		since = branch.GetSince().AsTime().Format("2006-01-02T15:04:05.000Z")
+	}
+
+	return json.Marshal(
+		&struct {
+			Since string `json:"since"`
+			*Alias
+		}{
+			Since: since,
+			Alias: (*Alias)(branch),
+		},
+	)
+}
+
+func (ctl *OrgStatusCheckControl) MarshalJSON() ([]byte, error) {
+	type Alias OrgStatusCheckControl
+	var since string
+	if ctl.GetSince() != nil {
+		since = ctl.GetSince().AsTime().Format("2006-01-02T15:04:05.000Z")
+	}
+
+	return json.Marshal(
+		&struct {
+			Since string `json:"since"`
+			*Alias
+		}{
+			Since: since,
+			Alias: (*Alias)(ctl),
+		},
+	)
+}
+
+func (tag *ProtectedTag) MarshalJSON() ([]byte, error) {
+	type Alias ProtectedTag
+	var since string
+	if tag.GetSince() != nil {
+		since = tag.GetSince().AsTime().Format("2006-01-02T15:04:05.000Z")
+	}
+
+	return json.Marshal(
+		&struct {
+			Since string `json:"since"`
+			*Alias
+		}{
+			Since: since,
+			Alias: (*Alias)(tag),
+		},
+	)
+}