-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provenance v1: allow arbitrary JSON for params, refine github-actions-workflow #582
Provenance v1: allow arbitrary JSON for params, refine github-actions-workflow #582
Conversation
Signed-off-by: Mark Lodato <lodato@google.com>
Based on feedback, generalize `externalParameters` and `systemParameters` to allow arbitrary JSON objects rather than only specific types. This makes it easier to represent real-world systems. It also avoids the needs for the extra layer of `artifactRef`, `scalarValue`, etc., which was awkward. This necessitated the removal of the "artifact reference" type of parameter, which combined the actual parameter (usually represented as a URI) with the resolved digest of the artifact that the parameter pointed to. Now the resolved digest is moved to `resolvedDependencies` (with the URI repeated there to allow joining with the parameters.) The impetus for the removal was because there was no good way to represent the concept of an artifact reference parameter, but upon further reflection, the removal actually seems to simplify things. Also expand the guidance for BuildDefinition. Signed-off-by: Mark Lodato <lodato@google.com>
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
Thanks for this nice change. Is the colour coding for the digram in |
No, it's not documented. I was wondering when someone would call me on this. 😄 This is what I was thinking, though I'd like a more rigorous approach if anyone has ideas:
|
Signed-off-by: Mark Lodato <lodato@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the changes in this PR are generally going to be quite helpful and agree that they simplify the provenance format.
- Restrict to specific event types that we've analyzed as meeting the model. - Clarify documentation. - Rename `workflow` to `workflowPath` to be unambiguous. Signed-off-by: Mark Lodato <lodato@google.com>
Signed-off-by: Mark Lodato <lodato@google.com>
Thanks for clarifying. This looks good to me. Perhaps this legend could be added to a corner of the image, and then we can iterate on it later. As an idea for a future improvement, I think it would be nice to clarify how the diagram and particularly the "Build Process" relate to the |
Signed-off-by: Mark Lodato <lodato@google.com>
Great points! I filed #593 to track since it will take some time and it's a bit orthogonal to the original intent of this PR. |
Signed-off-by: Mark Lodato <lodato@google.com>
Signed-off-by: Mark Lodato <lodato@google.com>
Hey all, I would like to submit this ASAP so that we can continue to iterate. Any approvals would be appreciated. I'm happy to make small fixes and corrections, but any other significant change I'd like to defer via a TODO so that this PR gets unblocked. Thanks! |
Also remove the TODOs about base_ref and head_ref - they are now irrelevant since we no longer support pull request events. Signed-off-by: Mark Lodato <lodato@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good work all!
One minor comment (can be resolved later). The section on how to migrate from 0.2
format still relies on externalParameters
such as entryPoint
and source
which is not covered any more here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the late comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making this change.
Signed-off-by: Mark Lodato <lodato@google.com>
dd738c5
to
58778a4
Compare
Thanks, everyone! Tons of great contributions! I'll send out more PRs to address the TODOs and iterate on the design. |
This should have been changed in slsa-framework#582. Signed-off-by: Mark Lodato <lodato@google.com>
This PR refines the provenance v1 schema and the accompanying github-actions-workflow buildType, based on feedback.
Allow arbitrary JSON for params
Generalize
externalParameters
andsystemParameters
to allow arbitrary JSON objects rather than only specific types. This makes it easier to represent real-world systems. It also avoids the needs for the extra layer ofartifactRef
,scalarValue
, etc., which was awkward.This necessitated the removal of the "artifact reference" type of parameter, which combined the actual parameter (usually represented as a URI) with the resolved digest of the artifact that the parameter pointed to. Now the resolved digest is moved to
resolvedDependencies
(with the URI repeated there to allow joining with the parameters.) The impetus for the removal was because there was no good way to represent the concept of an artifact reference parameter, but upon further reflection, the removal actually seems to simplify things.Refine github-actions-workflow
Limit to specific event types for which we have fully analyzed the semantics, and add new external parameters for deployment and release events.
Replace the
source
andworkflow
fields with a tuple ofrepository
,ref
, andpath
. This is hopefully easier for everyone to understand and use correctly. It comes at the cost of making it harder to join withresolvedDependencies
, but this seems like a worthwhile tradeoff.Expand the documentation to reduce ambiguity.
Other changes
Expand the guidance for BuildDefinition.
Preview links
https://deploy-preview-582--slsa.netlify.app/provenance/v1/
https://deploy-preview-582--slsa.netlify.app/github-actions-workflow/v0.1/
/cc @feelepxyz @ianlewis @tiziano88 @mlieberman85 @asraa @TomHennen @kommendorkapten @rbehjati @jagathprakash @laurentsimon @marcelamelara @joshuagl @trishankatdatadog