slsa-framework · ianlewis · May 13, 2024 · May 14, 2024 · May 14, 2024 · May 14, 2024
@@ -0,0 +1,114 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: generic setup
+
+description: "Create a SLSA token for the delegated generic workflows"
+
+inputs:
+  slsa-version:
+    description: "The version of SLSA provenance format to output."
+    required: false
+    default: "v1.0"
+
+  slsa-workflow-recipient:
+    description: >
+      The workflow filename that this token is intended for.
+
+      Example: delegator_generic_slsa3.yml
+    type: string
+    required: true
+
+  slsa-rekor-log-public:
+    description: "If true, private repositories can post to the public transparency log."
+    required: false
+    type: boolean
+    default: false
+
+  slsa-build-action-path:
+    description: >
+      The action path to invoke, from the root of the repository where this action is invoked
+      Example: ./actions/build-artifacts'
+    type: string
+    required: true
+
+  slsa-checkout-sha1:
+    description: "The git commit to checkout the repository."
+    required: false
+
+  slsa-runner-label:
+    description: >
+      The runner label to run the callback Action (`slsa-build-action-path`) on.
+    type: choice
+    options:
+      - ubuntu-latest
+    required: true
+
+  slsa-checkout-fetch-depth:
+    # Same argument to https://github.com/actions/checkout.
+    description: "Number of commits to fetch. 0 indicates all history for all branches and tags."
+    required: false
+    default: 1
+
+  slsa-workflow-inputs:
+    description: >
+      A JSON object containing the inputs to the Tool Reusable Workflow (TRW).
+      The inputs will be recorded in the provenance as the builder's inputs and
+      passed to the tool's build Action.
+
+      Note: The TRW is the reusable workflow calling this Action.
+    type: string
+    required: true
+
+  slsa-workflow-masked-inputs:
+    description: >
+      A comma-separated list of input fields to mask in the provenance.
+      It should be used for fields that have low-entropy values
+      but need to be kept private. The masking will replace
+      the value of the fields with '***'. Use this option to mask
+      usernames, emails or other PII inputs.
+
+      Example: field1, field2, field3
+    type: string
+    required: false
+
+  slsa-vars:
+    description: >
+      A JSON object containing the vars to the Tool Reusable Workflow (TRW).
+      The vars will be recorded in the provenance as the builder's inputs and
+      passed to the tool's build Action.
+
+      Note: The TRW is the reusable workflow calling this Action.
+    type: string
+    required: true
+
+  slsa-masked-vars:
+    description: >
+      A comma-separated list of vars to mask in the provenance.
+      It should be used for fields that have low-entropy values
+      but need to be kept private. The masking will replace
+      the value of the fields with '***'. Use this option to mask
+      usernames, emails or other PII vars.
+
+      Example: var1, var2, var3
+    type: string
+    required: false
+
+outputs:
+  slsa-token:
+    description: "SLSA token"
+
+runs:
+  using: "node20"
+  main: "dist/index.js"
@@ -82,22 +82,36 @@ function run() {
             const checkoutDepth = core.getInput("slsa-checkout-fetch-depth");
             const checkoutSha1 = core.getInput("slsa-checkout-sha1");
             const buildArtifactsActionPath = core.getInput("slsa-build-action-path");
-            const workflowsInputsMask = core.getInput("slsa-workflow-masked-inputs");
-            // The workflow inputs are represented as a JSON object theselves.
+            // The workflow inputs are represented as a JSON object (inputs context).
             const workflowsInputsText = core.getInput("slsa-workflow-inputs");
+            const workflowsInputsMask = core.getInput("slsa-workflow-masked-inputs");
+            // The workflow vars are represented as a JSON object (vars context).
+            const workflowsVarsText = core.getInput("slsa-vars");
+            const workflowsVarsMask = core.getInput("slsa-masked-vars");
             // Log the inputs for troubleshooting.
             core.debug(`workflowsInputsText: ${workflowsInputsText}`);
             core.debug(`workfowInputs: `);
             const workflowInputs = JSON.parse(workflowsInputsText);
-            const workflowInputsMap = new Map(Object.entries(workflowInputs));
-            for (const [key, value] of workflowInputsMap) {
-                core.info(` ${key}: ${value}`);
+            for (const key in workflowInputs) {
+                core.info(` ${key}: ${workflowInputs[key]}`);
             }
-            const workflowMaskedInputs = getMaskedInputs(workflowsInputsMask);
+            const workflowMaskedInputs = parseCSV(workflowsInputsMask);
             core.info(`maskedInputs: `);
             for (const value of workflowMaskedInputs) {
                 core.info(` ${value}`);
             }
+            // Log the vars for troubleshooting.
+            core.debug(`workflowsVarsText: ${workflowsVarsText}`);
+            core.debug(`workfowVars: `);
+            const workflowVars = JSON.parse(workflowsVarsText);
+            for (const key in workflowVars) {
+                core.info(` ${key}: ${workflowVars[key]}`);
+            }
+            const workflowMaskedVars = parseCSV(workflowsVarsMask);
+            core.info(`maskedVars: `);
+            for (const value of workflowMaskedVars) {
+                core.info(` ${value}`);
+            }
             const payload = JSON.stringify(github.context.payload, undefined, 2);
             core.debug(`The event payload: ${payload}`);
             // Construct an unsigned SLSA token.
@@ -151,6 +165,8 @@ function run() {
                     },
                     inputs: workflowInputs,
                     masked_inputs: workflowMaskedInputs,
+                    vars: workflowVars,
+                    masked_vars: workflowMaskedVars,
                 },
             };
             // Prepare the base64 unsigned token.
@@ -182,11 +198,10 @@ function run() {
         }
     });
 }
-function getMaskedInputs(inputsStr) {
+function parseCSV(csvText) {
     const ret = [];
-    const inputArr = inputsStr.split(",");
-    for (const input of inputArr) {
-        ret.push(input.trim());
+    for (const part of csvText.split(",")) {
+        ret.push(part.trim());
     }
     return ret;
 }

@@ -43,25 +43,43 @@ async function run(): Promise<void> {
     const checkoutDepth = core.getInput("slsa-checkout-fetch-depth");
     const checkoutSha1 = core.getInput("slsa-checkout-sha1");
     const buildArtifactsActionPath = core.getInput("slsa-build-action-path");
-    const workflowsInputsMask = core.getInput("slsa-workflow-masked-inputs");
-    // The workflow inputs are represented as a JSON object theselves.
+
+    // The workflow inputs are represented as a JSON object (inputs context).
     const workflowsInputsText = core.getInput("slsa-workflow-inputs");
+    const workflowsInputsMask = core.getInput("slsa-workflow-masked-inputs");
+
+    // The workflow vars are represented as a JSON object (vars context).
+    const workflowsVarsText = core.getInput("slsa-vars");
+    const workflowsVarsMask = core.getInput("slsa-masked-vars");
 
     // Log the inputs for troubleshooting.
     core.debug(`workflowsInputsText: ${workflowsInputsText}`);
     core.debug(`workfowInputs: `);
     const workflowInputs = JSON.parse(workflowsInputsText);
-    const workflowInputsMap = new Map(Object.entries(workflowInputs));
-    for (const [key, value] of workflowInputsMap) {
-      core.info(` ${key}: ${value}`);
+    for (const key in workflowInputs) {
+      core.info(` ${key}: ${workflowInputs[key]}`);
     }
 
-    const workflowMaskedInputs = getMaskedInputs(workflowsInputsMask);
+    const workflowMaskedInputs = parseCSV(workflowsInputsMask);
     core.info(`maskedInputs: `);
     for (const value of workflowMaskedInputs) {
       core.info(` ${value}`);
     }
 
+    // Log the vars for troubleshooting.
+    core.debug(`workflowsVarsText: ${workflowsVarsText}`);
+    core.debug(`workfowVars: `);
+    const workflowVars = JSON.parse(workflowsVarsText);
+    for (const key in workflowVars) {
+      core.info(` ${key}: ${workflowVars[key]}`);
+    }
+
+    const workflowMaskedVars = parseCSV(workflowsVarsMask);
+    core.info(`maskedVars: `);
+    for (const value of workflowMaskedVars) {
+      core.info(` ${value}`);
+    }
+
     const payload = JSON.stringify(github.context.payload, undefined, 2);
     core.debug(`The event payload: ${payload}`);
 
@@ -118,6 +136,8 @@ async function run(): Promise<void> {
         },
         inputs: workflowInputs,
         masked_inputs: workflowMaskedInputs,
+        vars: workflowVars,
+        masked_vars: workflowMaskedVars,
       },
     };
 
@@ -151,11 +171,10 @@ async function run(): Promise<void> {
   }
 }
 
-function getMaskedInputs(inputsStr: string): string[] {
+function parseCSV(csvText: string): string[] {
   const ret = [];
-  const inputArr = inputsStr.split(",");
-  for (const input of inputArr) {
-    ret.push(input.trim());
+  for (const part of csvText.split(",")) {
+    ret.push(part.trim());
   }
   return ret;
 }