-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Update the provenance format in the docker-based generator #1566
Comments
Thanks for this issue! I was just thinking about this. OK if I make this update? I'm also thinking when in-toto is ready to make a PR we can probably move the definitions here upstream. Only still confused about the For generated proto, it uses interfaces -- so something like that can work, but I'd like to not introduce proto runtimes into the deps |
Yes. Sure. Thanks :)
I don't have any experience with using protobufs in Go myself, but had a chat with @tiziano88, and his suggestion was that if interoperability with other languages and services is needed, then code generation from protobuf is preferable. But I agree with you about runtime dependencies. Is it possible to start with a hand-written definition and replace it with auto-generated code in the future if there is need for it? |
Continuing our discussion about Looking at slsa-framework/slsa#582, one thing is unclear to me. Do we have to use I assume not, since the proposed structure is missing important fields. With that assumption, the new // DockerBasedBuilderParameters is the struct that we use as the type of system_parameters in the BuildDefinition.
type DockerBasedBuilderParameters struct {
// The source GitHub repo
Source ArtifactReference `json:"source"`
// The Docker builder image
BuilderImage ArtifactReference `json:"builderImage"`
// The inputs to the workflow as described in https://docs.github.com/en/actions/learn-github-actions/contexts#inputs-context
Inputs WorkFlowInputs `json:"inputs,omitempty"`
// Unpacked build config parameters
Config BuildConfig `json:"buildConfig"`
}
type WorkFlowInputs struct {
// The URI of the Docker builder image.
BuilderImage string `json:"builderImage"`
// The digest of the Docker builder image, of the form '<alg>:<digest>'.
BuilderDigest string `json:"builderDigest"`
// Path to a configuration file relative to the root of the repository.
ConfigPath string `json:"configPath"`
// Whether to build the builder from source.
CompileBuilder bool `json:"compileBuilder"`
// Whether the source repository is private.
PrivateRepository bool `json:"privateRepository"`
}
// ArtifactReference is the same struct defined in https://github.com/slsa-framework/slsa/pull/582
// BuildConfig is defined in https://github.com/slsa-framework/slsa-github-generator/blob/77395259ff7f705e2578f4552b79d90c06f49554/internal/builders/docker/pkg/config.go#L30 From The
@asraa This is my suggestion, and I hope it is helpful :) Please feel free to suggest changes or corrections. I am particularly not attached to the naming :) In particular, I think we'd want to add fields for workflow path and github context as well. We might want to include these in system parameters though. The definition of |
Describe the solution you'd like
The current provenance format does not quite comply with SLSA provenance v1.0. The following changes are needed.
input
mapValue (see fix: Unpack config file in BuildDefinition #1547 (comment))command
is encoded as a JSON string (see fix: Unpack config file in BuildDefinition #1547 (comment))Additional context
See also
The text was updated successfully, but these errors were encountered: