Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Record the vars context. #3622

Closed
wants to merge 14 commits into from
Closed

feat: Record the vars context. #3622

wants to merge 14 commits into from

Conversation

ianlewis
Copy link
Member

@ianlewis ianlewis commented May 13, 2024
edited
Loading

Summary

Records the GitHub vars context in the SLSA invocation in all generators and builders.

generic generator, container generator, Go builder

The vars context is passed to the "builder" binary as a JSON blob via the GITHUB_VARS environment variable. The values are then recorded in the invocation.parameters.vars field of the provenance predicate. Masking of inputs or vars is not supported.

BYOB

The vars context is converted to JSON and passed to setup-generic by the TRW in the same way that the inputs context is added. Vars are then recorded in the SLSA token. Individual vars can be masked from the provenance as well via the slsa-masked-vars field in the same way as inputs.

verify-token reads the vars from the SLSA token and includes them in the final provenance.

Note that changes to the TRW are necessary to record the vars context.

TODO:

  • Record vars in generic generator (actions run , test release)
  • Record vars in container generator
  • Record vars in Go builder
  • Support recording vars in BYOB
  • Record vars in npm builder
  • Record vars in maven builder
  • Record vars in gradle builder
  • Record vars in bazel builder
  • Document changes for TRWs

Updates #1555

Testing Process

  • Add how to test.

Checklist

@ianlewis ianlewis changed the title Record the vars context. feat: Record the vars context. May 13, 2024
@ianlewis
Record the vars context.
f52b686 
Records the GitHub vars context in the SLSA invocation in the generic,
container, and Go builders.

Signed-off-by: Ian Lewis <[email protected]>
@ianlewis ianlewis force-pushed the 1555-feature-report-variables-in-provenance branch from 12b659b to f52b686 Compare May 13, 2024 05:30
@ianlewis
Update changelog
c5de749 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Add vars to parameters for BYOB
ae35d06 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Update changelog TOC
d9a2a58 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Add workflow vars to SLSA token
634d9f4 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Add vars to SLSA token interface
7abf263 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Update verify-token tests
f5ab60e 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
update dist
d4c86e1 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Update inputs
d5eb004 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Mask vars
21ff9ab 
Signed-off-by: Ian Lewis <[email protected]>
@ianlewis
Copy link
Member Author

Probably can split this into two PRs. One for the generic generator, container generator, and Go builder. One for BYOB and BYOB workflows. Each PR wouldn't really depend on the other.

@ianlewis
Copy link
Member Author

Requiring changes to TRW inputs isn't ideal. Currently we need the TRW to pass the vars context to setup-generic because JavaScript actions don't have access to the vars context like they do for inputs (inputs are set to environment variables but vars aren't).

I wonder if I could create a wrap the current action in a composite action to get access to the vars context without needing it to be passed in an input.

@ianlewis
Copy link
Member Author

ianlewis commented May 14, 2024
edited
Loading

I wonder if I could create a wrap the current action in a composite action to get access to the vars context without needing it to be passed in an input.

Looks like this won't work since the vars context isn't available to composite actions. I guess it's only available in workflows.

@ianlewis
Copy link
Member Author

Breaking up this PR into multiple PRs. First of which is #3633 for the generic generator, container generator, and Go builder.

@ianlewis
Copy link
Member Author

Recording vars for BYOB implemented in #3636. Closing this PR.

@ianlewis ianlewis closed this May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon Awaiting requested review from laurentsimon laurentsimon will be requested when the pull request is marked ready for review laurentsimon is a code owner

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl will be requested when the pull request is marked ready for review joshuagl is a code owner

@kpk47 kpk47 Awaiting requested review from kpk47 kpk47 will be requested when the pull request is marked ready for review kpk47 is a code owner

@ramonpetgrave64 ramonpetgrave64 Awaiting requested review from ramonpetgrave64 ramonpetgrave64 will be requested when the pull request is marked ready for review ramonpetgrave64 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ianlewis