diff --git a/.github/actions/detect-workflow-js/__tests__/main.test.ts b/.github/actions/detect-workflow-js/__tests__/main.test.ts index 4bac86fec9..671e87f676 100644 --- a/.github/actions/detect-workflow-js/__tests__/main.test.ts +++ b/.github/actions/detect-workflow-js/__tests__/main.test.ts @@ -52,9 +52,8 @@ describe("detectWorkflowFromOIDC", () => { core.getIDToken.mockClear(); core.getIDToken.mockReturnValueOnce(jwt); - const [repo, ref, workflow] = await detect.detectWorkflowFromOIDC( - "some/audience", - ); + const [repo, ref, workflow] = + await detect.detectWorkflowFromOIDC("some/audience"); expect(repo).toBe("octo-org/octo-automation"); expect(ref).toBe("refs/heads/main"); expect(workflow).toBe(".github/workflows/oidc.yml"); @@ -72,9 +71,8 @@ describe("detectWorkflowFromOIDC", () => { core.getIDToken.mockClear(); core.getIDToken.mockReturnValueOnce(jwt); - const [repo, ref, workflow] = await detect.detectWorkflowFromOIDC( - "some/audience", - ); + const [repo, ref, workflow] = + await detect.detectWorkflowFromOIDC("some/audience"); expect(repo).toBe("vitejs/vite"); expect(ref).toBe("refs/tags/create-vite@5.0.0-beta.0"); expect(workflow).toBe(".github/workflows/publish.yml"); diff --git a/.github/actions/secure-upload-folder/action.yml b/.github/actions/secure-upload-folder/action.yml index 11294b3be6..913f52505f 100644 --- a/.github/actions/secure-upload-folder/action.yml +++ b/.github/actions/secure-upload-folder/action.yml @@ -22,7 +22,7 @@ inputs: An example is to use `${RNG}-artifact`. required: true path: - description: 'Path to the folder' + description: "Path to the folder" required: true outputs: sha256: diff --git a/.github/workflows/builder_bazel_slsa3.yml b/.github/workflows/builder_bazel_slsa3.yml index 129a13f922..18d1223f42 100644 --- a/.github/workflows/builder_bazel_slsa3.yml +++ b/.github/workflows/builder_bazel_slsa3.yml @@ -99,7 +99,7 @@ jobs: permissions: id-token: write # For signing. contents: read # For asset uploads. - actions: read # For the entrypoint. + actions: read # For the entrypoint. uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@main with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} diff --git a/.github/workflows/builder_gradle_slsa3.yml b/.github/workflows/builder_gradle_slsa3.yml index 53dea0476b..beafe4a73d 100644 --- a/.github/workflows/builder_gradle_slsa3.yml +++ b/.github/workflows/builder_gradle_slsa3.yml @@ -84,7 +84,7 @@ jobs: permissions: id-token: write # For signing. contents: read # For asset uploads. - actions: read # For the entrypoint. + actions: read # For the entrypoint. uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@main with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} diff --git a/BYOB.md b/BYOB.md index a4db427341..2ad107a9bf 100644 --- a/BYOB.md +++ b/BYOB.md @@ -148,7 +148,7 @@ Secrets should only be high-entropy values. Do not set username or other low-ent #### Outputs -The outputs from the TCA may be returned to the PW as well. To do this, use the [outputs section](https://github.com/laurentsimon/byob-doc/tree/v0.0.1/.github/workflows/builder_example_slsa3.yml#L61-L67) to define the artifact and the status. Our example uses [additional outputs](https://github.com/laurentsimon/byob-doc/tree/v0.0.1/.github/workflows/builder_example_slsa3.yml#L69-L75) to provide metadata about the built artifacts and their provenance. We will discuss them in [Section: Upload Attestations](#upload-attestations). +The outputs from the TCA may be returned to the PW as well. To do this, use the [outputs section](https://github.com/laurentsimon/byob-doc/tree/v0.0.1/.github/workflows/builder_example_slsa3.yml#L61-L67) to define the artifact and the status. Our example uses [additional outputs](https://github.com/laurentsimon/byob-doc/tree/v0.0.1/.github/workflows/builder_example_slsa3.yml#L69-L75) to provide metadata about the built artifacts and their provenance. We will discuss them in [Section: Upload Attestations](#upload-attestations). #### Important Notes diff --git a/README.md b/README.md index 42e037e1d4..f8c7ead5e1 100644 --- a/README.md +++ b/README.md @@ -174,20 +174,20 @@ requirements for [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/level This repository hosts the following builders: -| Ecosystem | Builder | Description | Status | -|:-----------|:-----------------|:------------|:--------| -| [Go](https://go.dev/) projects | [Go Builder](internal/builders/go/README.md) | Builds and generates provenance for Go projects | [available since v1.0.0](https://github.com/slsa-framework/slsa-github-generator/milestone/1) | -| [Node.js](https://nodejs.org) projects | [Node.js Builder](internal/builders/nodejs/README.md) | Builds and generates provenance for npm packages | [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8). [Expected GA release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/17) -| [Maven](https://maven.apache.org/) projects | [Maven builder](internal/builders/maven/README.md) | Build Maven packages and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.9.0](https://github.com/slsa-framework/slsa-github-generator/milestone/14) | -| [Gradle](https://gradle.org/) projects | [Gradle builder](internal/builders/gradle/README.md) | Build Gradle projects and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.9.0](https://github.com/slsa-framework/slsa-github-generator/milestone/15) | -| [Bazel](https://bazel.build/) projects | [Bazel builder](internal/builders/bazel/README.md) | Builds [Bazel](https://bazel.build/) projects and generates provenance | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/16) | -| [docker](https://www.docker.com/) images | Container Builder | Builds docker containers and generates provenance. The generated provenance is compatible with [cosign](https://github.com/sigstore/cosign)'s attestation format | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/5) | -| Any | [Container-based Builder](internal/builders/docker/README.md) | Builds projects whose build pipeline is defined with a Dockerfile | [Beta since v1.7.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) | +| Ecosystem | Builder | Description | Status | +| :------------------------------------------ | :------------------------------------------------------------ | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [Go](https://go.dev/) projects | [Go Builder](internal/builders/go/README.md) | Builds and generates provenance for Go projects | [available since v1.0.0](https://github.com/slsa-framework/slsa-github-generator/milestone/1) | +| [Node.js](https://nodejs.org) projects | [Node.js Builder](internal/builders/nodejs/README.md) | Builds and generates provenance for npm packages | [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8). [Expected GA release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/17) | +| [Maven](https://maven.apache.org/) projects | [Maven builder](internal/builders/maven/README.md) | Build Maven packages and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.9.0](https://github.com/slsa-framework/slsa-github-generator/milestone/14) | +| [Gradle](https://gradle.org/) projects | [Gradle builder](internal/builders/gradle/README.md) | Build Gradle projects and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.9.0](https://github.com/slsa-framework/slsa-github-generator/milestone/15) | +| [Bazel](https://bazel.build/) projects | [Bazel builder](internal/builders/bazel/README.md) | Builds [Bazel](https://bazel.build/) projects and generates provenance | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/16) | +| [docker](https://www.docker.com/) images | Container Builder | Builds docker containers and generates provenance. The generated provenance is compatible with [cosign](https://github.com/sigstore/cosign)'s attestation format | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/5) | +| Any | [Container-based Builder](internal/builders/docker/README.md) | Builds projects whose build pipeline is defined with a Dockerfile | [Beta since v1.7.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) | There are other available builders using this repository's [BYOB framework](#build-your-own-builder) and not hosted in this repository: -| Ecosystem | Builder | Description | Status | -|:-----------|:-----------------|:------------|:--------| +| Ecosystem | Builder | Description | Status | +| :------------------------------------------- | :-------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | :-------------------------------------------------------------------------------- | | [JReleaser](https://jreleaser.org/) projects | [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder) | Builds and generates provenance using [JReleaser](https://jreleaser.org/) | [since v1.0.0-java](https://github.com/jreleaser/release-action/tree/v1.0.0-java) | If none of these options fit your needs, use a [generator](#generators) as described below: diff --git a/actions/delegator/secure-upload-folder/action.yml b/actions/delegator/secure-upload-folder/action.yml index 3e673b970c..96a1ca5cb0 100644 --- a/actions/delegator/secure-upload-folder/action.yml +++ b/actions/delegator/secure-upload-folder/action.yml @@ -22,7 +22,7 @@ inputs: An example is to use `${RNG}-artifact`. required: true path: - description: 'Path to the folder' + description: "Path to the folder" required: true outputs: sha256: diff --git a/actions/generator/generic/create-base64-subjects-from-file/action.yml b/actions/generator/generic/create-base64-subjects-from-file/action.yml index eed900be4d..556615b84b 100644 --- a/actions/generator/generic/create-base64-subjects-from-file/action.yml +++ b/actions/generator/generic/create-base64-subjects-from-file/action.yml @@ -16,7 +16,7 @@ name: "Secure subjects file sharing generic generator" description: "Create a list of subjects from a file" inputs: path: - description: 'A path to a file containing the base64-subjects.' + description: "A path to a file containing the base64-subjects." required: true outputs: handle: diff --git a/actions/gradle/publish/README.md b/actions/gradle/publish/README.md index 6c6057c584..98bc4cf02f 100644 --- a/actions/gradle/publish/README.md +++ b/actions/gradle/publish/README.md @@ -54,7 +54,7 @@ publishing { create("maven") { artifactId = "test-java-project" from(components["java"]) - + pom { name.set("test-java-project") description.set("Adam's test java project") @@ -173,7 +173,7 @@ publishing { extension = ext } } - } + } pom { name.set("test-java-project") description.set("Adams test java project") diff --git a/internal/builders/bazel/README.md b/internal/builders/bazel/README.md index c9523e404a..5643186d56 100644 --- a/internal/builders/bazel/README.md +++ b/internal/builders/bazel/README.md @@ -153,13 +153,13 @@ packaged with it. For instance if there is a Java target named Main it would be │   ├── Main # This is the run-script
│   └── Main_deploy.jar
-Each Java target, whether specified as in the targets input as a `_deploy.jar` or not, will be built as a [_deploy.jar](https://bazel.build/reference/be/java) which contains all classes found by classloader and native libraries for dependencies. +Each Java target, whether specified as in the targets input as a `_deploy.jar` or not, will be built as a [\_deploy.jar](https://bazel.build/reference/be/java) which contains all classes found by classloader and native libraries for dependencies. Since the artifact is built on a Github Runner, the run-script has the VM's Java bin path hardcoded in. However, the run-script has been modified to include an additional flag, `--local_javabin` to change the Java Bin path to the user's. To run the JAR using the run-script the `--singlejar` flag must be specified to signal to the run-script that the JAR is a `_deploy.jar`. Additionally, `--local_javabin` must be set to the path of the user's Java Bin to run it. Therefore running the JAR would look like the following: `./Main --singlejar --local_javabin="path/to/user/bin/java"` -Note that Java targets do not need to have the `needs-runfiles` flag to be true in order to create the _deploy.jar and run-script for it. +Note that Java targets do not need to have the `needs-runfiles` flag to be true in order to create the \_deploy.jar and run-script for it. ### Referencing the Bazel builder @@ -222,37 +222,37 @@ The Bazel builder accepts the following inputs: Inputs: -| Name | Required | Default | Description | -| ----------------- | -------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| rekor-log-public | No | false | Set to true to opt-in to posting to the public transparency log. Will generate an error if false for private repositories. This input has no effect for public repositories. See [Private Repositories](#private-repositories).
Default: `false` | -| targets | Yes | | A space separated list of targets to build and generate artifacts for. See [targets](https://bazel.build/concepts/build-ref#targets) for more information. \ | -| flags | No | "" | A space separated list of flags to modify the build by. See [flags](https://bazel.build/docs/user-manual#build-options) for more information. \ | +| Name | Required | Default | Description | +| ---------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| rekor-log-public | No | false | Set to true to opt-in to posting to the public transparency log. Will generate an error if false for private repositories. This input has no effect for public repositories. See [Private Repositories](#private-repositories).
Default: `false` | +| targets | Yes | | A space separated list of targets to build and generate artifacts for. See [targets](https://bazel.build/concepts/build-ref#targets) for more information. \ | +| flags | No | "" | A space separated list of flags to modify the build by. See [flags](https://bazel.build/docs/user-manual#build-options) for more information. \ | ### Workflow Outputs The Bazel builder produces the following outputs: -| Name | Description | -| -------------------------- | ---------------------------------------------------------------------- | -| provenance-download-name | The name of the provenance attestation uploaded to the workflow run. | +| Name | Description | +| ------------------------ | -------------------------------------------------------------------- | +| provenance-download-name | The name of the provenance attestation uploaded to the workflow run. | ### Provenance Format Provenance is generated as an [in-toto](https://in-toto.io/) statement with a SLSA v1.0 predicate. -| Name | Value | Description | -| -------------- | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -| `subject.name` | Artifact Name | The subject identifies the artifact built by the builder. The provenance attests the build process for the artifact listed. | +| Name | Value | Description | +| -------------- | ------------- | --------------------------------------------------------------------------------------------------------------------------- | +| `subject.name` | Artifact Name | The subject identifies the artifact built by the builder. The provenance attests the build process for the artifact listed. | The project generates SLSA v1.0 provenance predicate with the following values. -| Name | Value | Description | -| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `runDetails.builder.id` | `https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_bazel_slsa3.yml@refs/tags/v1.7.0"` | Identifies the Bazel builder | -| `buildDefinition.buildType` | `"https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0"` | Identifies a the GitHub Actions build. | -| `runDetails.metadata.invocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. | -| `externalParameters.inputs | User Inputted Values | Identifies the inputs to the Bazel Builder that were passed in | +| Name | Value | Description | +| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `runDetails.builder.id` | `https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_bazel_slsa3.yml@refs/tags/v1.7.0"` | Identifies the Bazel builder | +| `buildDefinition.buildType` | `"https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0"` | Identifies a the GitHub Actions build. | +| `runDetails.metadata.invocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. | +| `externalParameters.inputs | User Inputted Values | Identifies the inputs to the Bazel Builder that were passed in | ### Provenance Example diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 61928d8e00..4185ad4e16 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -214,18 +214,18 @@ Inputs: | `continue-on-error` | Set to true to ignore errors. This option is useful if you won't want a failure to fail your entire workflow.
Default: `false` | | `gcp-workload-identity-provider` | The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name. If provided, this must be the full identifier which includes all parts:
`projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider` | | `gcp-service-account` | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:
`my-service-account@my-project.iam.gserviceaccount.com` | -| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. | -| `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`) | +| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. | +| `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`) | Secrets: -| Name | Description | -|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. Should be used in scenarios when the image name contains secret values, and therefore can't be provided directly. Use case - an undisclosed private registry use. | -| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the `registry-username` input instead. | -| `registry-password` | **(Required)** Password to log in the container registry. | -| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the registry-username input instead. | -| `provenance-registry-password` | Password when publishing to provenance registry instead of image registry. | +| Name | Description | +| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. Should be used in scenarios when the image name contains secret values, and therefore can't be provided directly. Use case - an undisclosed private registry use. | +| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the `registry-username` input instead. | +| `registry-password` | **(Required)** Password to log in the container registry. | +| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the registry-username input instead. | +| `provenance-registry-password` | Password when publishing to provenance registry instead of image registry. | ### Workflow Outputs diff --git a/internal/builders/docker/README.md b/internal/builders/docker/README.md index 0214aef892..2a83fcf231 100644 --- a/internal/builders/docker/README.md +++ b/internal/builders/docker/README.md @@ -225,16 +225,16 @@ workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.git The `buildDefinition` contains the following fields: -| Name | Value | Description | -| --------------------------------------------- | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `buildType` | `"https://slsa.dev/container-based-build/v0.1?draft"` | Identifies the container-based build type. | -| `externalParameters.source` | `slsa.ResourceDescriptor` | An artifact reference specifying the location of the source repository. | -| `externalParameters.builderImage` | `slsa.ResourceDescriptor` | An artifact reference specifying the container base image used to build the artifacts. | -| `externalParameters.configPath` | `".github/configs-docker/config.toml"` | The location of the configuration file, relative to the root of the source repository. | -| `externalParameters.buildConfig` | JSON object | An object describing the build configuration. | -| `externalParameters.buildConfig.ArtifactPath` | `"dist/**"` | The path describing the output artifacts to attest to and upload. | -| `externalParameters.buildConfig.Command` | `"["npm", "run", "all"]"` | The build command invoked in the container image to produce the output artifacts. | -| `externalParameters.resolvedDependencies` | `slsa.ResourceDescriptor` | Contains the artifact reference specifying the resolved source and the binary used by the reusable workflow to build the artifact and generate the build definition. See the [CLI tool](#command-line-tool) below. | +| Name | Value | Description | +| --------------------------------------------- | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `buildType` | `"https://slsa.dev/container-based-build/v0.1?draft"` | Identifies the container-based build type. | +| `externalParameters.source` | `slsa.ResourceDescriptor` | An artifact reference specifying the location of the source repository. | +| `externalParameters.builderImage` | `slsa.ResourceDescriptor` | An artifact reference specifying the container base image used to build the artifacts. | +| `externalParameters.configPath` | `".github/configs-docker/config.toml"` | The location of the configuration file, relative to the root of the source repository. | +| `externalParameters.buildConfig` | JSON object | An object describing the build configuration. | +| `externalParameters.buildConfig.ArtifactPath` | `"dist/**"` | The path describing the output artifacts to attest to and upload. | +| `externalParameters.buildConfig.Command` | `"["npm", "run", "all"]"` | The build command invoked in the container image to produce the output artifacts. | +| `externalParameters.resolvedDependencies` | `slsa.ResourceDescriptor` | Contains the artifact reference specifying the resolved source and the binary used by the reusable workflow to build the artifact and generate the build definition. See the [CLI tool](#command-line-tool) below. | The [CLI tool](#command-line-tool) described in `externalParameters.resolvedDependencies` contains the `uri` of the source that was used to build the artifact (from this GitHub repository). The `digest` referes to the cryptographic digest of the built binary. Using this information, a verifier may download the source artifact from the GitHub releases inferred by the URI and verify its digest. @@ -308,7 +308,7 @@ as an [in-toto](https://in-toto.io/) statement with a SLSA predicate. "GITHUB_WORKFLOW_REF": "asraa/slsa-on-github-test/.github/workflows/go-builder.yml@refs/heads/main", "GITHUB_WORKFLOW_SHA": "c35e20e93ad5465899c12ce71cd6253d6e28fb15", "GITHUB_BASE_REF": "", - "GITHUB_EVENT_PAYLOAD": {}, + "GITHUB_EVENT_PAYLOAD": {} } }, "runDetails": { diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index e0d9671aa7..8b485001ac 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -274,10 +274,10 @@ The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/b The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) produces the following outputs: -| Name | Description | -| ------------------ | ----------------------------------------------------------------------------------------------- | -| `provenance-name` | The artifact name of the signed provenance. | -| `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). | +| Name | Description | +| ----------------- | ----------------------------------------------------------------------------------------------- | +| `provenance-name` | The artifact name of the signed provenance. | +| `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). | ### Provenance Format @@ -1425,11 +1425,11 @@ matrix strategy), there are a few more caveats to consider: terminator even on Windows: ```yaml - - run: git config --global core.autocrlf input - # Alternatively, also force line endings for every file - # - run: | - # git config --global core.eol lf - # git config --global core.autocrlf input + - run: git config --global core.autocrlf input + # Alternatively, also force line endings for every file + # - run: | + # git config --global core.eol lf + # git config --global core.autocrlf input ``` The other complexity arises from the fact that the utilities used to compute the @@ -1448,11 +1448,11 @@ behaviors across the operating systems: One way to merge all these differences is to use the bash `||` operator: ```yaml - - id: hash - run: | - set -euo pipefail - (sha256sum -t release_artifact_${{ runner.os }} || shasum -a 256 release_artifact_${{ runner.os }}) > checksum - echo "hash-${{ matrix.os }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}" +- id: hash + run: | + set -euo pipefail + (sha256sum -t release_artifact_${{ runner.os }} || shasum -a 256 release_artifact_${{ runner.os }}) > checksum + echo "hash-${{ matrix.os }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}" ``` Thus, to generate a single provenance for artifacts built on all 3 operating @@ -1573,14 +1573,13 @@ jobs: with: base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" upload-assets: true # NOTE: This does nothing unless 'upload-tag-name' parameter is also set to an existing tag - ``` ## Known Issues ### Skip output 'hashes' since it may contain secret -The GitHub Actions runner sometimes masks the job output if it potentially contains a secret. One solution is to use the ``base64-subjects-as-file`` option to pass the artifact hashes using an existing file instead. See the instructions [here](#getting-started) to use the ``base64-subjects-as-file`` option. +The GitHub Actions runner sometimes masks the job output if it potentially contains a secret. One solution is to use the `base64-subjects-as-file` option to pass the artifact hashes using an existing file instead. See the instructions [here](#getting-started) to use the `base64-subjects-as-file` option. ### 'internal error' when using `upload-assets` diff --git a/internal/builders/go/pkg/testdata/release-invalid-dir.yml b/internal/builders/go/pkg/testdata/release-invalid-dir.yml index 87da47b140..ae40cf4fc4 100644 --- a/internal/builders/go/pkg/testdata/release-invalid-dir.yml +++ b/internal/builders/go/pkg/testdata/release-invalid-dir.yml @@ -27,4 +27,4 @@ goarch: amd64 dir: /not/relative/ binary: binary-{{ .OS }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' + - "{{ .Env.VERSION_LDFLAGS }}" diff --git a/internal/builders/go/pkg/testdata/releaser-valid-dir.yml b/internal/builders/go/pkg/testdata/releaser-valid-dir.yml index 2c3a6a2186..a372ca912b 100644 --- a/internal/builders/go/pkg/testdata/releaser-valid-dir.yml +++ b/internal/builders/go/pkg/testdata/releaser-valid-dir.yml @@ -27,4 +27,4 @@ goarch: amd64 dir: ./path/to/dir binary: binary-{{ .OS }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' + - "{{ .Env.VERSION_LDFLAGS }}" diff --git a/internal/builders/go/testdata/invalid-main.yml b/internal/builders/go/testdata/invalid-main.yml index e8656f0f1f..148dc18e1b 100644 --- a/internal/builders/go/testdata/invalid-main.yml +++ b/internal/builders/go/testdata/invalid-main.yml @@ -27,4 +27,4 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - 'something-{{ .Env.ELSE }}' + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/one-ldflags.yml b/internal/builders/go/testdata/one-ldflags.yml index b6d09c0bc0..5e8173c59e 100644 --- a/internal/builders/go/testdata/one-ldflags.yml +++ b/internal/builders/go/testdata/one-ldflags.yml @@ -26,4 +26,4 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - 'something-{{ .Env.ELSE }}' + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/two-ldflags-emptyenv.yml b/internal/builders/go/testdata/two-ldflags-emptyenv.yml index b603d253b3..fabbadefb7 100644 --- a/internal/builders/go/testdata/two-ldflags-emptyenv.yml +++ b/internal/builders/go/testdata/two-ldflags-emptyenv.yml @@ -23,5 +23,5 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' - - 'something-{{ .Env.ELSE }}' + - "{{ .Env.VERSION_LDFLAGS }}" + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/two-ldflags-emptyflags.yml b/internal/builders/go/testdata/two-ldflags-emptyflags.yml index d404929f1b..2aa9dbdfde 100644 --- a/internal/builders/go/testdata/two-ldflags-emptyflags.yml +++ b/internal/builders/go/testdata/two-ldflags-emptyflags.yml @@ -20,10 +20,9 @@ env: flags: - goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' - - 'something-{{ .Env.ELSE }}' + - "{{ .Env.VERSION_LDFLAGS }}" + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/two-ldflags-noenv.yml b/internal/builders/go/testdata/two-ldflags-noenv.yml index 10d3e64408..c0d3fdbaed 100644 --- a/internal/builders/go/testdata/two-ldflags-noenv.yml +++ b/internal/builders/go/testdata/two-ldflags-noenv.yml @@ -22,5 +22,5 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' - - 'something-{{ .Env.ELSE }}' + - "{{ .Env.VERSION_LDFLAGS }}" + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/two-ldflags-noflags.yml b/internal/builders/go/testdata/two-ldflags-noflags.yml index 90b22d3972..1b2c220fe2 100644 --- a/internal/builders/go/testdata/two-ldflags-noflags.yml +++ b/internal/builders/go/testdata/two-ldflags-noflags.yml @@ -22,5 +22,5 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' - - 'something-{{ .Env.ELSE }}' + - "{{ .Env.VERSION_LDFLAGS }}" + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/two-ldflags.yml b/internal/builders/go/testdata/two-ldflags.yml index 03022fd05f..bfc6e4ccd2 100644 --- a/internal/builders/go/testdata/two-ldflags.yml +++ b/internal/builders/go/testdata/two-ldflags.yml @@ -26,5 +26,5 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' - - 'something-{{ .Env.ELSE }}' + - "{{ .Env.VERSION_LDFLAGS }}" + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/valid-main.yml b/internal/builders/go/testdata/valid-main.yml index e907357c7c..a07854782b 100644 --- a/internal/builders/go/testdata/valid-main.yml +++ b/internal/builders/go/testdata/valid-main.yml @@ -27,5 +27,5 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' - - 'something-{{ .Env.ELSE }}' + - "{{ .Env.VERSION_LDFLAGS }}" + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/go/testdata/valid-working-dir.yml b/internal/builders/go/testdata/valid-working-dir.yml index 5eb779c948..3b53a33a08 100644 --- a/internal/builders/go/testdata/valid-working-dir.yml +++ b/internal/builders/go/testdata/valid-working-dir.yml @@ -28,5 +28,5 @@ goos: linux goarch: amd64 binary: binary-{{ .Os }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' - - 'something-{{ .Env.ELSE }}' + - "{{ .Env.VERSION_LDFLAGS }}" + - "something-{{ .Env.ELSE }}" diff --git a/internal/builders/gradle/README.md b/internal/builders/gradle/README.md index f9331f5ea7..ceac6a0a23 100644 --- a/internal/builders/gradle/README.md +++ b/internal/builders/gradle/README.md @@ -114,11 +114,9 @@ tasks.named("build") { This, for example, will move `./app1/build/` and `./app2/build/` to `./build/app1/` and `./build/app2/`. You must then alter your input to `artifact-list`. ```yaml -... - artifact-list: >- - ./build/app1/libs/app.jar, - ./build/app2/libs/app.jar, -... +artifact-list: >- + ./build/app1/libs/app.jar, + ./build/app2/libs/app.jar, ``` ### Private Repositories