update

Signed-off-by: laurentsimon <laurentsimon@google.com>
slsa-framework · Dec 22, 2022 · 9aabb1c · 9aabb1c
1 parent 3f4ffec
commit 9aabb1c
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 81 deletions.
diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
@@ -110,73 +110,8 @@ jobs:
           slsa-workflow-inputs: '{"name1":"value1","name2":"value2","private-repository":true}'
       - env:
           SLSA_TOKEN: ${{ steps.setup.outputs.slsa-token }}
-        run: |
-          set -euo pipefail
-
-          # NOTE: this is a pre-submit, so the signature is not generated and there is
-          # just a place holder for it.
-          echo "SLSA_TOKEN: $SLSA_TOKEN"
-          [[ "$SLSA_TOKEN" != "" ]]
-
-          b64_token="$(echo -n $SLSA_TOKEN | cut -d '.' -f2)"
-          echo "b64_token:"
-          echo "$b64_token"
-
-          decoded_token="$(echo $b64_token | base64 -d)"
-          echo "decoded_token:"
-          echo "$decoded_token"
-
-          # Non-GitHub's information.
-          audience=$(echo "$decoded_token" | jq -r '.builder.audience')
-          runner_label=$(echo "$decoded_token" | jq -r '.builder."runner-label"')
-          private_repository=$(echo "$decoded_token" | jq -r '.builder."private-repository"')
-          action_path=$(echo "$decoded_token" | jq -r '.tool.actions."build-artifacts".path')
-          inputs=$(echo "$decoded_token" | jq -rc '.tool.inputs')
-
-          # GitHub's information.
-          run_attempt=$(echo "$decoded_token" | jq -r '.github.run_attempt')
-          run_id=$(echo "$decoded_token" | jq -r '.github.run_id')
-          run_number=$(echo "$decoded_token" | jq -r '.github.run_number')
-          sha=$(echo "$decoded_token" | jq -r '.github.sha')
-          workflow=$(echo "$decoded_token" | jq -r '.github.workflow')
-          event_name=$(echo "$decoded_token" | jq -r '.github.event_name')
-          repository=$(echo "$decoded_token" | jq -r '.github.repository')
-          repository_owner=$(echo "$decoded_token" | jq -r '.github.repository_owner')
-          ref=$(echo "$decoded_token" | jq -r '.github.ref')
-          ref_type=$(echo "$decoded_token" | jq -r '.github.ref_type')
-          actor=$(echo "$decoded_token" | jq -r '.github.actor')
-
-          echo "audience: $audience"
-          echo "runner_label: $runner_label"
-          echo "private_repository: $private_repository"
-          echo "action_path: $action_path"
-          echo "inputs: $inputs"
-          echo "run_attempt: $run_attempt - $GITHUB_RUN_ATTEMPT"
-          echo "run_id: $run_id - $GITHUB_RUN_ID"
-          echo "run_number: $run_number - $GITHUB_RUN_NUMBER"
-          echo "sha: $sha - $GITHUB_SHA"
-          echo "workflow: $workflow - $GITHUB_WORKFLOW"
-          echo "event_name: $event_name - $GITHUB_EVENT_NAME"
-          echo "repository: $repository - $GITHUB_REPOSITORY"
-          echo "repository_owner: $repository_owner - $GITHUB_REPOSITORY_OWNER"
-          echo "ref: $ref - $GITHUB_REF"
-          echo "ref_type: $ref_type - $GITHUB_REF_TYPE"
-
-          [[ "$audience" == "delegator_generic_slsa3.yml" ]]
-          [[ "$run_attempt" == "$GITHUB_RUN_ATTEMPT" ]]
-          [[ "$run_number" == "$GITHUB_RUN_NUMBER" ]]
-          [[ "$run_id" == "$GITHUB_RUN_ID" ]]
-          [[ "$sha" == "$GITHUB_SHA" ]]
-          [[ "$workflow" == "$GITHUB_WORKFLOW" ]]
-          [[ "$runner_label" == "ubuntu-latest" ]]
-          [[ "$private_repository" == "true" ]]
-          [[ "$action_path" == "./actions/build-artifacts-composite" ]]
-          [[ "$inputs" == '{"name1":"value1","name2":"value2","private-repository":true}' ]]
-          [[ "$event_name" == "$GITHUB_EVENT_NAME" ]]
-          [[ "$repository" == "$GITHUB_REPOSITORY" ]]
-          [[ "$repository_owner" == "$GITHUB_REPOSITORY_OWNER" ]]
-          [[ "$ref" == "$GITHUB_REF" ]]
-          [[ "$ref_type" == "$GITHUB_REF_TYPE" ]]
+        run: ./.github/workflows/scripts/pre-submit.actions/setup-token.sh
+
 
   references:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/scripts/pre-submit.actions/setup-token.sh b/.github/workflows/scripts/pre-submit.actions/setup-token.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# NOTE: this is a pre-submit, so the signature is not generated and there is
+# just a place holder for it.
+echo "SLSA_TOKEN: $SLSA_TOKEN"
+[[ "$SLSA_TOKEN" != "" ]]
+
+b64_token=$(echo -n "$SLSA_TOKEN" | cut -d '.' -f2)
+echo "b64_token:"
+echo "$b64_token"
+
+decoded_token=$(echo "$b64_token" | base64 -d)
+echo "decoded_token:"
+echo "$decoded_token"
+
+# Non-GitHub's information.
+audience=$(echo "$decoded_token" | jq -r '.builder.audience')
+runner_label=$(echo "$decoded_token" | jq -r '.builder."runner-label"')
+private_repository=$(echo "$decoded_token" | jq -r '.builder."private-repository"')
+action_path=$(echo "$decoded_token" | jq -r '.tool.actions."build-artifacts".path')
+inputs=$(echo "$decoded_token" | jq -rc '.tool.inputs')
+
+# GitHub's information.
+run_attempt=$(echo "$decoded_token" | jq -r '.github.run_attempt')
+run_id=$(echo "$decoded_token" | jq -r '.github.run_id')
+run_number=$(echo "$decoded_token" | jq -r '.github.run_number')
+sha=$(echo "$decoded_token" | jq -r '.github.sha')
+workflow=$(echo "$decoded_token" | jq -r '.github.workflow')
+event_name=$(echo "$decoded_token" | jq -r '.github.event_name')
+repository=$(echo "$decoded_token" | jq -r '.github.repository')
+repository_owner=$(echo "$decoded_token" | jq -r '.github.repository_owner')
+ref=$(echo "$decoded_token" | jq -r '.github.ref')
+ref_type=$(echo "$decoded_token" | jq -r '.github.ref_type')
+actor=$(echo "$decoded_token" | jq -r '.github.actor')
+
+assert_eq "delegator_generic_slsa3.yml", "$audience"
+assert_eq "$GITHUB_RUN_ATTEMPT", "$run_attempt"
+assert_eq "$GITHUB_RUN_NUMBER", "$run_number"
+assert_eq "$GITHUB_RUN_ID", "$run_id"
+assert_eq "$GITHUB_SHA", "$sha"
+assert_eq "$GITHUB_WORKFLOW", "$workflow"
+assert_eq "ubuntu-latest", "$runner_label"
+assert_eq "true", "$private_repository"
+assert_eq "./actions/build-artifacts-composite", "$action_path"
+assert_eq '{"name1":"value1","name2":"value2","private-repository":true}', "$inputs"
+assert_eq "$GITHUB_EVENT_NAME", "$event_name"
+assert_eq "$GITHUB_REPOSITORY", "$repository"
+assert_eq "$GITHUB_REPOSITORY_OWNER", "$repository_owner"
+assert_eq "$GITHUB_REF", "$ref"
+assert_eq "$GITHUB_REF_TYPE", "$ref_type"
+assert_eq "$GITHUB_ACTOR", "$actor"
diff --git a/actions/setup-token/Makefile b/actions/setup-token/Makefile
@@ -1,5 +1,4 @@
 SHELL := /bin/bash
-OUTPUT_FORMAT = $(shell if [ "${GITHUB_ACTIONS}" == "true" ]; then echo "github"; else echo ""; fi)
 
 .PHONY: help
 help: ## Shows all targets and help from the Makefile (this message).

diff --git a/actions/setup-token/dist/index.js b/actions/setup-token/dist/index.js
@@ -97,7 +97,7 @@ function run() {
                     audience: workflowRecipient,
                 },
                 github: {
-                    // TODO: Re-evaluate if we need the context.
+                    // TODO(#1410): Re-evaluate if we need the context.
                     context: github,
                     event_name: process.env.GITHUB_EVENT_NAME,
                     run_attempt: process.env.GITHUB_RUN_ATTEMPT,
@@ -107,7 +107,7 @@ function run() {
                     sha: process.env.GITHUB_SHA,
                     repository: process.env.GITHUB_REPOSITORY,
                     repository_owner: process.env.GITHUB_REPOSITORY_OWNER,
-                    // TODO: enable if these become available.
+                    // TODO(#1411): Record if these become available.
                     // repository_id: process.env.GITHUB_REPOSITORY_ID,
                     // repository_owner_id: process.env.GITHUB_REPOSITORY_OWNER_ID,
                     ref: process.env.GITHUB_REF,
@@ -120,9 +120,6 @@ function run() {
                             path: buildArtifactsActionPath,
                         },
                     },
-                    // TODO: grab the calling workflow here ?
-                    // We need it for policy authz and we should report it
-                    // somewhere. Where?
                     inputs: workflowInputs,
                 },
             };
@@ -146,7 +143,7 @@ function run() {
             core.info(`bundleB64: ${bundleB64}`);
             // Verify just to double check.
             // NOTE: this is an offline verification.
-            // TODO: renable when https://github.com/sigstore/sigstore-js/issues/215
+            // TODO(https://github.com/sigstore/sigstore-js/issues/215): Re-enable when fixed.
             // await sigstore.sigstore.verify(bundle, Buffer.from(unsignedB64Token));
             // Output the signed token.
             core.info(`slsa-token: ${bundleB64}.${unsignedB64Token}`);

diff --git a/actions/setup-token/dist/index.js.map b/actions/setup-token/dist/index.js.map
diff --git a/actions/setup-token/src/main.ts b/actions/setup-token/src/main.ts
@@ -62,7 +62,7 @@ async function run(): Promise<void> {
         audience: workflowRecipient,
       },
       github: {
-        // TODO: Re-evaluate if we need the context.
+        // TODO(#1410): Re-evaluate if we need the context.
         context: github,
         event_name: process.env.GITHUB_EVENT_NAME,
         run_attempt: process.env.GITHUB_RUN_ATTEMPT,
@@ -72,7 +72,7 @@ async function run(): Promise<void> {
         sha: process.env.GITHUB_SHA,
         repository: process.env.GITHUB_REPOSITORY,
         repository_owner: process.env.GITHUB_REPOSITORY_OWNER,
-        // TODO: enable if these become available.
+        // TODO(#1411): Record if these become available.
         // repository_id: process.env.GITHUB_REPOSITORY_ID,
         // repository_owner_id: process.env.GITHUB_REPOSITORY_OWNER_ID,
         ref: process.env.GITHUB_REF,
@@ -85,9 +85,6 @@ async function run(): Promise<void> {
             path: buildArtifactsActionPath,
           },
         },
-        // TODO: grab the calling workflow here ?
-        // We need it for policy authz and we should report it
-        // somewhere. Where?
         inputs: workflowInputs,
       },
     };
@@ -117,7 +114,7 @@ async function run(): Promise<void> {
 
     // Verify just to double check.
     // NOTE: this is an offline verification.
-    // TODO: renable when https://github.com/sigstore/sigstore-js/issues/215
+    // TODO(https://github.com/sigstore/sigstore-js/issues/215): Re-enable when fixed.
     // await sigstore.sigstore.verify(bundle, Buffer.from(unsignedB64Token));
 
     // Output the signed token.