diff --git a/.github/workflows/local_attest.yml b/.github/workflows/local_attest.yml index 524d364b..31c656d2 100644 --- a/.github/workflows/local_attest.yml +++ b/.github/workflows/local_attest.yml @@ -10,4 +10,4 @@ jobs: permissions: contents: write # needed for storing the vsa in the repo. id-token: write - uses: slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@main + uses: slsa-framework/source-actions/.github/workflows/compute_slsa_source.yml@main diff --git a/hack/verify-protos.sh b/hack/verify-protos.sh index 5877a4ff..6adaac60 100755 --- a/hack/verify-protos.sh +++ b/hack/verify-protos.sh @@ -9,4 +9,9 @@ set -o xtrace source hack/common.sh make proto + +# Check if the proto definitions need updating git diff --exit-code || exit_with_msg "Code from protocol definitions is not up to date. Please run 'make proto' and commit the result" + +# Check the format of the proto files +buf lint || exit_with_msg "The proto files have linting errors. Please run 'buf lint' and fix them before committing" diff --git a/pkg/policy/policy.pb.go b/pkg/policy/policy.pb.go index 551515f8..d45295dc 100644 --- a/pkg/policy/policy.pb.go +++ b/pkg/policy/policy.pb.go @@ -292,19 +292,19 @@ var File_policy_proto protoreflect.FileDescriptor const file_policy_proto_rawDesc = "" + "\n" + - "\fpolicy.proto\x12\bampel.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"\xd3\x01\n" + + "\fpolicy.proto\x123in_toto_attestation.predicates.source_provenance.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"\xa9\x02\n" + "\n" + "RepoPolicy\x12&\n" + - "\x0ecanonical_repo\x18\x01 \x01(\tR\x0ecanonical_repo\x12I\n" + - "\x12protected_branches\x18\x02 \x03(\v2\x19.ampel.v1.ProtectedBranchR\x12protected_branches\x12@\n" + - "\rprotected_tag\x18\x03 \x01(\v2\x16.ampel.v1.ProtectedTagH\x00R\fprotectedTag\x88\x01\x01B\x10\n" + - "\x0e_protected_tag\"\x96\x02\n" + + "\x0ecanonical_repo\x18\x01 \x01(\tR\x0ecanonical_repo\x12t\n" + + "\x12protected_branches\x18\x02 \x03(\v2D.in_toto_attestation.predicates.source_provenance.v1.ProtectedBranchR\x12protected_branches\x12k\n" + + "\rprotected_tag\x18\x03 \x01(\v2A.in_toto_attestation.predicates.source_provenance.v1.ProtectedTagH\x00R\fprotectedTag\x88\x01\x01B\x10\n" + + "\x0e_protected_tag\"\xc2\x02\n" + "\x0fProtectedBranch\x12\x12\n" + "\x04name\x18\x01 \x01(\tR\x04name\x120\n" + "\x05since\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\x05since\x127\n" + "\x18target_slsa_source_level\x18\x03 \x01(\tR\x15targetSlsaSourceLevel\x12%\n" + - "\x0erequire_review\x18\x04 \x01(\bR\rrequireReview\x12]\n" + - "\x19org_status_check_controls\x18\x05 \x03(\v2\x1f.ampel.v1.OrgStatusCheckControlR\x19org_status_check_controls\"a\n" + + "\x0erequire_review\x18\x04 \x01(\bR\rrequireReview\x12\x88\x01\n" + + "\x19org_status_check_controls\x18\x05 \x03(\v2J.in_toto_attestation.predicates.source_provenance.v1.OrgStatusCheckControlR\x19org_status_check_controls\"a\n" + "\fProtectedTag\x120\n" + "\x05since\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\x05since\x12\x1f\n" + "\vtag_hygiene\x18\x02 \x01(\bR\n" + @@ -313,8 +313,8 @@ const file_policy_proto_rawDesc = "" + "\rproperty_name\x18\x01 \x01(\tR\fpropertyName\x120\n" + "\x05since\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\x05since\x12\x1d\n" + "\n" + - "check_name\x18\x03 \x01(\tR\tcheckNameB\x92\x01\n" + - "\fcom.ampel.v1B\vPolicyProtoP\x01Z4github.com/slsa-framework/slsa-source-poc/pkg/policy\xa2\x02\x03AXX\xaa\x02\bAmpel.V1\xca\x02\bAmpel\\V1\xe2\x02\x14Ampel\\V1\\GPBMetadata\xea\x02\tAmpel::V1b\x06proto3" + "check_name\x18\x03 \x01(\tR\tcheckNameB\xdf\x02\n" + + "7com.in_toto_attestation.predicates.source_provenance.v1B\vPolicyProtoP\x01Z4github.com/slsa-framework/slsa-source-poc/pkg/policy\xa2\x02\x03IPS\xaa\x020InTotoAttestation.Predicates.SourceProvenance.V1\xca\x020InTotoAttestation\\Predicates\\SourceProvenance\\V1\xe2\x02 ampel.v1.ProtectedBranch - 2, // 1: ampel.v1.RepoPolicy.protected_tag:type_name -> ampel.v1.ProtectedTag - 4, // 2: ampel.v1.ProtectedBranch.since:type_name -> google.protobuf.Timestamp - 3, // 3: ampel.v1.ProtectedBranch.org_status_check_controls:type_name -> ampel.v1.OrgStatusCheckControl - 4, // 4: ampel.v1.ProtectedTag.since:type_name -> google.protobuf.Timestamp - 4, // 5: ampel.v1.OrgStatusCheckControl.since:type_name -> google.protobuf.Timestamp + 1, // 0: in_toto_attestation.predicates.source_provenance.v1.RepoPolicy.protected_branches:type_name -> in_toto_attestation.predicates.source_provenance.v1.ProtectedBranch + 2, // 1: in_toto_attestation.predicates.source_provenance.v1.RepoPolicy.protected_tag:type_name -> in_toto_attestation.predicates.source_provenance.v1.ProtectedTag + 4, // 2: in_toto_attestation.predicates.source_provenance.v1.ProtectedBranch.since:type_name -> google.protobuf.Timestamp + 3, // 3: in_toto_attestation.predicates.source_provenance.v1.ProtectedBranch.org_status_check_controls:type_name -> in_toto_attestation.predicates.source_provenance.v1.OrgStatusCheckControl + 4, // 4: in_toto_attestation.predicates.source_provenance.v1.ProtectedTag.since:type_name -> google.protobuf.Timestamp + 4, // 5: in_toto_attestation.predicates.source_provenance.v1.OrgStatusCheckControl.since:type_name -> google.protobuf.Timestamp 6, // [6:6] is the sub-list for method output_type 6, // [6:6] is the sub-list for method input_type 6, // [6:6] is the sub-list for extension type_name diff --git a/pkg/provenance/provenance.pb.go b/pkg/provenance/provenance.pb.go index 666ead3d..a8da5a71 100644 --- a/pkg/provenance/provenance.pb.go +++ b/pkg/provenance/provenance.pb.go @@ -264,7 +264,7 @@ func (x *TagProvenancePred) GetVsaSummaries() []*VsaSummary { type VsaSummary struct { state protoimpl.MessageState `protogen:"open.v1"` SourceRefs []string `protobuf:"bytes,1,rep,name=source_refs,json=sourceRefs,proto3" json:"source_refs,omitempty"` - VerifiedLevels []string `protobuf:"bytes,2,rep,name=verifiedLevels,proto3" json:"verifiedLevels,omitempty"` + VerifiedLevels []string `protobuf:"bytes,2,rep,name=verified_levels,json=verifiedLevels,proto3" json:"verified_levels,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -317,7 +317,7 @@ var File_provenance_proto protoreflect.FileDescriptor const file_provenance_proto_rawDesc = "" + "\n" + - "\x10provenance.proto\x12\bampel.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"\xa3\x02\n" + + "\x10provenance.proto\x123in_toto_attestation.predicates.source_provenance.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"\xce\x02\n" + "\x14SourceProvenancePred\x12\x1f\n" + "\vprev_commit\x18\x01 \x01(\tR\n" + "prevCommit\x12\x19\n" + @@ -326,27 +326,27 @@ const file_provenance_proto_rawDesc = "" + "\x05actor\x18\x04 \x01(\tR\x05actor\x12\x16\n" + "\x06branch\x18\x05 \x01(\tR\x06branch\x12>\n" + "\n" + - "created_on\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampH\x00R\tcreatedOn\x88\x01\x01\x12-\n" + - "\bcontrols\x18\a \x03(\v2\x11.ampel.v1.ControlR\bcontrolsB\r\n" + + "created_on\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampH\x00R\tcreatedOn\x88\x01\x01\x12X\n" + + "\bcontrols\x18\a \x03(\v2<.in_toto_attestation.predicates.source_provenance.v1.ControlR\bcontrolsB\r\n" + "\v_created_on\"O\n" + "\aControl\x12\x12\n" + "\x04name\x18\x01 \x01(\tR\x04name\x120\n" + - "\x05since\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\x05since\"\x8f\x02\n" + + "\x05since\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\x05since\"\xe5\x02\n" + "\x11TagProvenancePred\x12\x19\n" + "\brepo_uri\x18\x01 \x01(\tR\arepoUri\x12\x14\n" + "\x05actor\x18\x02 \x01(\tR\x05actor\x12\x10\n" + "\x03tag\x18\x03 \x01(\tR\x03tag\x12>\n" + "\n" + - "created_on\x18\x04 \x01(\v2\x1a.google.protobuf.TimestampH\x00R\tcreatedOn\x88\x01\x01\x12-\n" + - "\bcontrols\x18\a \x03(\v2\x11.ampel.v1.ControlR\bcontrols\x129\n" + - "\rvsa_summaries\x18\b \x03(\v2\x14.ampel.v1.VsaSummaryR\fvsaSummariesB\r\n" + - "\v_created_on\"U\n" + + "created_on\x18\x04 \x01(\v2\x1a.google.protobuf.TimestampH\x00R\tcreatedOn\x88\x01\x01\x12X\n" + + "\bcontrols\x18\a \x03(\v2<.in_toto_attestation.predicates.source_provenance.v1.ControlR\bcontrols\x12d\n" + + "\rvsa_summaries\x18\b \x03(\v2?.in_toto_attestation.predicates.source_provenance.v1.VsaSummaryR\fvsaSummariesB\r\n" + + "\v_created_on\"V\n" + "\n" + "VsaSummary\x12\x1f\n" + "\vsource_refs\x18\x01 \x03(\tR\n" + - "sourceRefs\x12&\n" + - "\x0everifiedLevels\x18\x02 \x03(\tR\x0everifiedLevelsB\x9a\x01\n" + - "\fcom.ampel.v1B\x0fProvenanceProtoP\x01Z8github.com/slsa-framework/slsa-source-poc/pkg/provenance\xa2\x02\x03AXX\xaa\x02\bAmpel.V1\xca\x02\bAmpel\\V1\xe2\x02\x14Ampel\\V1\\GPBMetadata\xea\x02\tAmpel::V1b\x06proto3" + "sourceRefs\x12'\n" + + "\x0fverified_levels\x18\x02 \x03(\tR\x0everifiedLevelsB\xe7\x02\n" + + "7com.in_toto_attestation.predicates.source_provenance.v1B\x0fProvenanceProtoP\x01Z8github.com/slsa-framework/slsa-source-poc/pkg/provenance\xa2\x02\x03IPS\xaa\x020InTotoAttestation.Predicates.SourceProvenance.V1\xca\x020InTotoAttestation\\Predicates\\SourceProvenance\\V1\xe2\x02 google.protobuf.Timestamp - 1, // 1: ampel.v1.SourceProvenancePred.controls:type_name -> ampel.v1.Control - 4, // 2: ampel.v1.Control.since:type_name -> google.protobuf.Timestamp - 4, // 3: ampel.v1.TagProvenancePred.created_on:type_name -> google.protobuf.Timestamp - 1, // 4: ampel.v1.TagProvenancePred.controls:type_name -> ampel.v1.Control - 3, // 5: ampel.v1.TagProvenancePred.vsa_summaries:type_name -> ampel.v1.VsaSummary + 4, // 0: in_toto_attestation.predicates.source_provenance.v1.SourceProvenancePred.created_on:type_name -> google.protobuf.Timestamp + 1, // 1: in_toto_attestation.predicates.source_provenance.v1.SourceProvenancePred.controls:type_name -> in_toto_attestation.predicates.source_provenance.v1.Control + 4, // 2: in_toto_attestation.predicates.source_provenance.v1.Control.since:type_name -> google.protobuf.Timestamp + 4, // 3: in_toto_attestation.predicates.source_provenance.v1.TagProvenancePred.created_on:type_name -> google.protobuf.Timestamp + 1, // 4: in_toto_attestation.predicates.source_provenance.v1.TagProvenancePred.controls:type_name -> in_toto_attestation.predicates.source_provenance.v1.Control + 3, // 5: in_toto_attestation.predicates.source_provenance.v1.TagProvenancePred.vsa_summaries:type_name -> in_toto_attestation.predicates.source_provenance.v1.VsaSummary 6, // [6:6] is the sub-list for method output_type 6, // [6:6] is the sub-list for method input_type 6, // [6:6] is the sub-list for extension type_name diff --git a/proto/v1/policy.proto b/proto/v1/policy.proto index d143c83f..b0005534 100644 --- a/proto/v1/policy.proto +++ b/proto/v1/policy.proto @@ -2,50 +2,51 @@ // SPDX-License-Identifier: Apache-2.0 syntax = "proto3"; -package ampel.v1; +package in_toto_attestation.predicates.source_provenance.v1; import "google/protobuf/timestamp.proto"; +// buf:lint:ignore PACKAGE_SAME_GO_PACKAGE option go_package = "github.com/slsa-framework/slsa-source-poc/pkg/policy"; // The repository policy definition message RepoPolicy { - string canonical_repo = 1 [json_name="canonical_repo"]; - repeated ProtectedBranch protected_branches = 2 [json_name="protected_branches"]; - optional ProtectedTag protected_tag = 3; + string canonical_repo = 1 [json_name = "canonical_repo"]; + repeated ProtectedBranch protected_branches = 2 [json_name = "protected_branches"]; + optional ProtectedTag protected_tag = 3; } // When a branch requires multiple controls, they must all be enabled // at or before 'since'. message ProtectedBranch { - string name = 1; - google.protobuf.Timestamp since = 2; - // We override this string with slsa.SlsaSourceLevel - string target_slsa_source_level = 3; - bool require_review = 4; - repeated OrgStatusCheckControl org_status_check_controls = 5 [json_name="org_status_check_controls"]; + string name = 1; + google.protobuf.Timestamp since = 2; + // We override this string with slsa.SlsaSourceLevel + string target_slsa_source_level = 3; + bool require_review = 4; + repeated OrgStatusCheckControl org_status_check_controls = 5 [json_name = "org_status_check_controls"]; } // The controls required for protected tags. message ProtectedTag { - google.protobuf.Timestamp since = 1; - bool tag_hygiene = 2; + google.protobuf.Timestamp since = 1; + bool tag_hygiene = 2; } // Used by orgs to require that specific 'checks' are run on protected // branches and to associate those checks with a control name to include // in provenance and VSAs. // https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-status-checks-to-pass-before-merging -message OrgStatusCheckControl { - // The property to record in the VSA if the conditions are met. - // MUST start with `ORG_SOURCE_`. - // We'll overide this with slsa.ControlName - string property_name = 1; - - // These controls have their own start time to enable orgs to enable - // new ones without violating continuity on other controls. - google.protobuf.Timestamp since = 2; - - // The name of the 'Status Check' as reported in the GitHub UI & API. - string check_name = 3; +message OrgStatusCheckControl { + // The property to record in the VSA if the conditions are met. + // MUST start with `ORG_SOURCE_`. + // We'll overide this with slsa.ControlName + string property_name = 1; + + // These controls have their own start time to enable orgs to enable + // new ones without violating continuity on other controls. + google.protobuf.Timestamp since = 2; + + // The name of the 'Status Check' as reported in the GitHub UI & API. + string check_name = 3; } diff --git a/proto/v1/provenance.proto b/proto/v1/provenance.proto index 8445d6c3..8b6b7943 100644 --- a/proto/v1/provenance.proto +++ b/proto/v1/provenance.proto @@ -2,49 +2,49 @@ // SPDX-License-Identifier: Apache-2.0 syntax = "proto3"; -package ampel.v1; +package in_toto_attestation.predicates.source_provenance.v1; import "google/protobuf/timestamp.proto"; +// buf:lint:ignore PACKAGE_SAME_GO_PACKAGE option go_package = "github.com/slsa-framework/slsa-source-poc/pkg/provenance"; // The predicate that encodes source provenance data. // The git commit this corresponds to is encoded in the surrounding statement. message SourceProvenancePred { - // The commit preceding 'Commit' in the current context. - string prev_commit = 1; - string repo_uri = 2; - string activity_type = 3; - string actor = 4; - string branch = 5; - optional google.protobuf.Timestamp created_on = 6; - // TODO: get the author of the PR (if this was from a PR). - - // The controls enabled at the time this commit was pushed. - repeated Control controls = 7; + // The commit preceding 'Commit' in the current context. + string prev_commit = 1; + string repo_uri = 2; + string activity_type = 3; + string actor = 4; + string branch = 5; + optional google.protobuf.Timestamp created_on = 6; + // TODO: get the author of the PR (if this was from a PR). + + // The controls enabled at the time this commit was pushed. + repeated Control controls = 7; } -message Control { - // The name of the control - string name = 1; - // The time from which this control has been continuously enforced/observed. - google.protobuf.Timestamp since = 2; +message Control { + // The name of the control + string name = 1; + // The time from which this control has been continuously enforced/observed. + google.protobuf.Timestamp since = 2; } message TagProvenancePred { - string repo_uri = 1; - string actor = 2; - string tag = 3; - optional google.protobuf.Timestamp created_on = 4; - - // The tag related controls enabled at the time this tag was created/updated. - repeated Control controls = 7; - repeated VsaSummary vsa_summaries = 8; + string repo_uri = 1; + string actor = 2; + string tag = 3; + optional google.protobuf.Timestamp created_on = 4; + + // The tag related controls enabled at the time this tag was created/updated. + repeated Control controls = 7; + repeated VsaSummary vsa_summaries = 8; } // Summary of a summary message VsaSummary { - repeated string source_refs = 1; - repeated string verifiedLevels = 2; + repeated string source_refs = 1; + repeated string verified_levels = 2 [json_name = "verifiedLevels"]; } -