Start creation of a checktag command.

This command creates tag provenance (new!) and VSAs for those tags.

There's more work to do to fully iron this out but it's ready for
some testing.

This was a fairly large refactor that involved generalizing the
GitHubConnection class so that it doesn't assume there are branches and
being able to mock the bnd verifier to make unit tests possible/easier.

Signed-off-by: Tom Hennen <tomhennen@google.com>

Author: TomHennen

.github/workflows/local_attest.yml

@@ -2,6 +2,7 @@ name: SLSA Source
 on:
   push:
     branches: [ "main" ]
+    tags: ['**']
 
 jobs:
   # Whenever new source is pushed recompute the slsa source information.

DESIGN.md

@@ -233,7 +233,8 @@ This tool can also check to see if the GitHub repo/ref is configured to require
 ### IMMUTABLE_TAGS
 
 This tool can also check to see if the GitHub repo is configured to require
-immutable tags.  To do so it checks that the repo:
+immutable tags.  To do so it checks that the repo enables the follow rules
+to ~ALL tags:
 
 1. Doesn't allow tag updates
 2. Doesn't allow tag deletions
@@ -243,6 +244,11 @@ Importing [rulesets/tag_immutability.json](rulesets/tag_immutability.json)
 to a repos rulesets will enable the repo controls. The `immutable_tags`
 field in the policy then needs to be enabled too.
 
+TODO: In the future this tool could be updated to allow some subset of tags
+to be updated (e.g. `latest`, `nightly`), but that feature is not yet
+supported. Tracked
+[here](https://github.com/slsa-framework/slsa-source-poc/issues/129).
+
 ## Open Issues
 
 ### Dealing with reliability

actions/slsa_with_provenance/action.yml

@@ -22,11 +22,18 @@ runs:
     - id: setup
       run: mkdir -p metadata
       shell: bash
-    - id: determine_level
+    - id: handle_branch_push
+      if: ${{ startsWith(github.ref, 'refs/heads/') }}
       run: |
-        echo "## SLSA Source Properties" >> $GITHUB_STEP_SUMMARY
+        echo "## SLSA Source Properties Branch Push" >> $GITHUB_STEP_SUMMARY
         go run github.com/slsa-framework/slsa-source-poc/sourcetool@8de659f119d933d4cfaed300e7d8bd78528a48c7 --github_token ${{ github.token }} checklevelprov --commit ${{ github.sha }} --owner ${{ github.repository_owner }} --repo ${{ github.event.repository.name }} --branch ${{ github.ref_name }} --output_signed_bundle ${{ github.workspace }}/metadata/signed_bundle.intoto.jsonl >> $GITHUB_STEP_SUMMARY
       shell: bash
+    - id: handle_tag_push
+      if: ${{ startsWith(github.ref, 'refs/tags/') }}
+      run: |
+        echo "## SLSA Source Properties Tag Push" >> $GITHUB_STEP_SUMMARY
+        echo "TODO"
+      shell: bash
     - id: summary
       run: |
         echo "## Signed Bundle" >> $GITHUB_STEP_SUMMARY

go.work.sum

@@ -73,6 +73,7 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/bufbuild/protocompile v0.10.0/go.mod h1:G9qQIQo0xZ6Uyj6CMNz0saGmx2so+KONo8/KrELABiY=
+github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
 github.com/buildkite/agent/v3 v3.81.0/go.mod h1:edJeyycODRxaFvpT22rDGwaQ5oa4eB8GjtbjgX5VpFw=
 github.com/buildkite/go-pipeline v0.13.1/go.mod h1:2HHqlSFTYgHFhzedJu0LhLs9n5c9XkYnHiQFVN5HE4U=
 github.com/buildkite/interpolate v0.1.3/go.mod h1:UNVe6A+UfiBNKbhAySrBbZFZFxQ+DXr9nWen6WVt/A8=
@@ -180,7 +181,6 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3
 github.com/google/wire v0.6.0/go.mod h1:F4QhpQ9EDIdJ1Mbop/NZBRB+5yrR6qg3BnctaoUk6NA=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20210719221736-1c9a4c676720/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=

policy/github.com/TomHennen/Concordance/source-policy.json

@@ -5,8 +5,11 @@
       "Name": "master",
       "Since": "2025-03-23T18:08:43.25099739Z",
       "target_slsa_source_level": "SLSA_SOURCE_LEVEL_3",
-      "require_review": false,
-      "immutable_tags": true
+      "require_review": false
     }
-  ]
+  ],
+  "protected_tag": {
+    "Since": "2025-03-23T18:08:43.25099739Z",
+    "immutable_tags": true
+  }
 }

sourcetool/cmd/checklevel.go

@@ -41,22 +41,22 @@ func doCheckLevel(commit, owner, repo, branch, outputVsa, outputUnsignedVsa stri
 		log.Fatal("Must set commit, owner, repo, and branch flags.")
 	}
 
-	gh_connection := gh_control.NewGhConnection(owner, repo, branch).WithAuthToken(githubToken)
+	gh_connection := gh_control.NewGhConnection(owner, repo, gh_control.BranchToFullRef(branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
 
-	controlStatus, err := gh_connection.GetControls(ctx, commit)
+	controlStatus, err := gh_connection.GetBranchControls(ctx, commit, gh_connection.GetFullRef())
 	if err != nil {
 		log.Fatal(err)
 	}
-	pol := policy.NewPolicy()
-	pol.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
-	verifiedLevels, policyPath, err := pol.EvaluateControl(ctx, gh_connection, controlStatus)
+	pe := policy.NewPolicyEvaluator()
+	pe.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
+	verifiedLevels, policyPath, err := pe.EvaluateControl(ctx, gh_connection, controlStatus)
 	if err != nil {
 		log.Fatal(err)
 	}
 	fmt.Print(verifiedLevels)
 
-	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection, commit, verifiedLevels, policyPath)
+	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), commit, verifiedLevels, policyPath)
 	if err != nil {
 		log.Fatal(err)
 	}

sourcetool/cmd/checklevelprov.go

@@ -46,7 +46,7 @@ var (
 
 func doCheckLevelProv(checkLevelProvArgs CheckLevelProvArgs) {
 	gh_connection :=
-		gh_control.NewGhConnection(checkLevelProvArgs.owner, checkLevelProvArgs.repo, checkLevelProvArgs.branch).WithAuthToken(githubToken)
+		gh_control.NewGhConnection(checkLevelProvArgs.owner, checkLevelProvArgs.repo, gh_control.BranchToFullRef(checkLevelProvArgs.branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
 
 	prevCommit := checkLevelProvArgs.prevCommit
@@ -58,22 +58,22 @@ func doCheckLevelProv(checkLevelProvArgs CheckLevelProvArgs) {
 		}
 	}
 
-	pa := attest.NewProvenanceAttestor(gh_connection, getVerificationOptions())
-	prov, err := pa.CreateSourceProvenance(ctx, checkLevelProvArgs.prevBundlePath, checkLevelProvArgs.commit, prevCommit)
+	pa := attest.NewProvenanceAttestor(gh_connection, getVerifier())
+	prov, err := pa.CreateSourceProvenance(ctx, checkLevelProvArgs.prevBundlePath, checkLevelProvArgs.commit, prevCommit, gh_connection.GetFullRef())
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	// check p against policy
-	pol := policy.NewPolicy()
-	pol.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
-	verifiedLevels, policyPath, err := pol.EvaluateProv(ctx, gh_connection, prov)
+	pe := policy.NewPolicyEvaluator()
+	pe.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
+	verifiedLevels, policyPath, err := pe.EvaluateSourceProv(ctx, gh_connection, prov)
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	// create vsa
-	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection, checkLevelProvArgs.commit, verifiedLevels, policyPath)
+	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), checkLevelProvArgs.commit, verifiedLevels, policyPath)
 	if err != nil {
 		log.Fatal(err)
 	}

sourcetool/cmd/checktag.go

@@ -0,0 +1,108 @@
+/*
+Copyright © 2025 NAME HERE <EMAIL ADDRESS>
+*/
+package cmd
+
+import (
+	"context"
+	"log"
+	"os"
+
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/attest"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/gh_control"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/policy"
+	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+type CheckTagArgs struct {
+	commit             string
+	owner              string
+	repo               string
+	tagName            string
+	outputSignedBundle string
+	useLocalPolicy     string
+}
+
+var (
+	checkTagArgs CheckTagArgs
+	// checktagCmd represents the checktag command
+	checktagCmd = &cobra.Command{
+		Use:   "checktag",
+		Short: "Checks to see if the tag operation should be allowed and issues a VSA",
+		Run: func(cmd *cobra.Command, args []string) {
+			doCheckTag(checkTagArgs)
+		},
+	}
+)
+
+func doCheckTag(args CheckTagArgs) {
+	gh_connection :=
+		gh_control.NewGhConnection(args.owner, args.repo, gh_control.TagToFullRef(args.tagName)).WithAuthToken(githubToken)
+	ctx := context.Background()
+	verifier := getVerifier()
+
+	// Create tag provenance.
+	pa := attest.NewProvenanceAttestor(gh_connection, verifier)
+	prov, err := pa.CreateTagProvenance(ctx, args.commit, gh_control.TagToFullRef(args.tagName))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// check p against policy
+	pe := policy.NewPolicyEvaluator()
+	pe.UseLocalPolicy = args.useLocalPolicy
+	verifiedLevels, policyPath, err := pe.EvaluateTagProv(ctx, gh_connection, prov)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// create vsa
+	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), args.commit, verifiedLevels, policyPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	unsignedProv, err := protojson.Marshal(prov)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if args.outputSignedBundle != "" {
+		f, err := os.OpenFile(args.outputSignedBundle, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer f.Close()
+
+		signedProv, err := attest.Sign(string(unsignedProv))
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		signedVsa, err := attest.Sign(unsignedVsa)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		f.WriteString(signedProv)
+		f.WriteString("\n")
+		f.WriteString(signedVsa)
+		f.WriteString("\n")
+	} else {
+		log.Printf("unsigned prov: %s\n", unsignedProv)
+		log.Printf("unsigned vsa: %s\n", unsignedVsa)
+	}
+}
+
+func init() {
+	rootCmd.AddCommand(checktagCmd)
+
+	checktagCmd.Flags().StringVar(&checkTagArgs.commit, "commit", "", "The commit to check - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.owner, "owner", "", "The GitHub repository owner - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.repo, "repo", "", "The GitHub repository name - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.tagName, "tag_name", "", "The name of the new tag - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.outputSignedBundle, "output_signed_bundle", "", "The path to write a bundle of signed attestations.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.useLocalPolicy, "use_local_policy", "", "UNSAFE: Use the policy at this local path instead of the official one.")
+
+}

sourcetool/cmd/createpolicy.go

@@ -35,7 +35,7 @@ var (
 )
 
 func doCreatePolicy(policyRepoPath, owner, repo, branch string) {
-	gh_connection := gh_control.NewGhConnection(owner, repo, branch).WithAuthToken(githubToken)
+	gh_connection := gh_control.NewGhConnection(owner, repo, gh_control.BranchToFullRef(branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
 	outpath, err := policy.CreateLocalPolicy(ctx, gh_connection, policyRepoPath)
 	if err != nil {

sourcetool/cmd/prov.go

@@ -32,10 +32,10 @@ var (
 )
 
 func doProv(prevAttPath, commit, prevCommit, owner, repo, branch string) {
-	gh_connection := gh_control.NewGhConnection(owner, repo, branch).WithAuthToken(githubToken)
+	gh_connection := gh_control.NewGhConnection(owner, repo, gh_control.BranchToFullRef(branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
-	pa := attest.NewProvenanceAttestor(gh_connection, attest.DefaultVerifierOptions)
-	newProv, err := pa.CreateSourceProvenance(ctx, prevAttPath, commit, prevCommit)
+	pa := attest.NewProvenanceAttestor(gh_connection, getVerifier())
+	newProv, err := pa.CreateSourceProvenance(ctx, prevAttPath, commit, prevCommit, gh_connection.GetFullRef())
 	if err != nil {
 		log.Fatal(err)
 	}