Skip to content

feat: Record the vars context. #3622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ianlewis wants to merge 14 commits into from
Closed

feat: Record the vars context. #3622

ianlewis wants to merge 14 commits into from

Conversation

@ianlewis
Copy link
Member

@ianlewis ianlewis commented May 13, 2024
edited
Loading

Summary

Records the GitHub vars context in the SLSA invocation in all generators and builders.

generic generator, container generator, Go builder

The vars context is passed to the "builder" binary as a JSON blob via the GITHUB_VARS environment variable. The values are then recorded in the invocation.parameters.vars field of the provenance predicate. Masking of inputs or vars is not supported.

BYOB

The vars context is converted to JSON and passed to setup-generic by the TRW in the same way that the inputs context is added. Vars are then recorded in the SLSA token. Individual vars can be masked from the provenance as well via the slsa-masked-vars field in the same way as inputs.

verify-token reads the vars from the SLSA token and includes them in the final provenance.

Note that changes to the TRW are necessary to record the vars context.

TODO:

  • Record vars in generic generator (actions run , test release)
  • Record vars in container generator
  • Record vars in Go builder
  • Support recording vars in BYOB
  • Record vars in npm builder
  • Record vars in maven builder
  • Record vars in gradle builder
  • Record vars in bazel builder
  • Document changes for TRWs

Updates #1555

Testing Process

  • Add how to test.

Checklist

@ianlewis ianlewis changed the title Record the vars context. feat: Record the vars context. May 13, 2024
@ianlewis
Record the vars context.
f52b686 
Records the GitHub vars context in the SLSA invocation in the generic,
container, and Go builders.

Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis ianlewis force-pushed the 1555-feature-report-variables-in-provenance branch from 12b659b to f52b686 Compare May 13, 2024 05:30
ianlewis added 9 commits May 14, 2024 05:49
@ianlewis
Update changelog
c5de749 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Add vars to parameters for BYOB
ae35d06 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Update changelog TOC
d9a2a58 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Add workflow vars to SLSA token
634d9f4 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Add vars to SLSA token interface
7abf263 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Update verify-token tests
f5ab60e 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
update dist
d4c86e1 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Update inputs
d5eb004 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Mask vars
21ff9ab 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Copy link
Member Author

ianlewis commented May 14, 2024

Probably can split this into two PRs. One for the generic generator, container generator, and Go builder. One for BYOB and BYOB workflows. Each PR wouldn't really depend on the other.

@ianlewis
Copy link
Member Author

ianlewis commented May 14, 2024

Requiring changes to TRW inputs isn't ideal. Currently we need the TRW to pass the vars context to setup-generic because JavaScript actions don't have access to the vars context like they do for inputs (inputs are set to environment variables but vars aren't).

I wonder if I could create a wrap the current action in a composite action to get access to the vars context without needing it to be passed in an input.

ianlewis and others added 4 commits May 14, 2024 19:49
@ianlewis
Wrap setup-generic
1fb6921 
Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
@ianlewis
update path
f630f46 
Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
@ianlewis
Merge branch 'main' into 1555-feature-report-variables-in-provenance
79944e8
@ianlewis
test
ff1a10b 
Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
@ianlewis
Copy link
Member Author

ianlewis commented May 14, 2024
edited
Loading

I wonder if I could create a wrap the current action in a composite action to get access to the vars context without needing it to be passed in an input.

Looks like this won't work since the vars context isn't available to composite actions. I guess it's only available in workflows.

@ianlewis
Copy link
Member Author

ianlewis commented May 14, 2024

Breaking up this PR into multiple PRs. First of which is #3633 for the generic generator, container generator, and Go builder.

@ianlewis
Copy link
Member Author

ianlewis commented May 15, 2024

Recording vars for BYOB implemented in #3636. Closing this PR.

@ianlewis ianlewis closed this May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ianlewis