Skip to content

Commit

Permalink
Haskell provenance (slsa-framework#595)
Browse files Browse the repository at this point in the history 
* Add provenance for Haskell.

Allows using either Stack or Cabal build tools

Tested via example repo
([Cabal](https://github.com/mihaimaruseac/slsa-lvl3-generic-provenance-in-haskell-example/blob/v0.0.1.1/.github/workflows/ci.yaml),
[Stack](https://github.com/mihaimaruseac/slsa-lvl3-generic-provenance-in-haskell-example/blob/v0.0.1.0/.github/workflows/ci.yaml)).

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

* Fix off-by-one counting errors

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

* Remove trailing whitespace

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

* Remove the build id step as it is not needed

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

* Update README.md

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
  • Loading branch information
@mihaimaruseac @laurentsimon
mihaimaruseac and laurentsimon committed Jul 20, 2022
1 parent 1d7962b commit 0f97cca
Showing 1 changed file with 77 additions and 8 deletions.
85 changes: 77 additions & 8 deletions internal/builders/generic/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ project simply generates provenance as a separate step in an existing workflow.
- [Provenance for Bazel](#provenance-for-bazel)
- [Provenance for Java](#provenance-for-java)
- [Provenance for Rust](#provenance-for-rust)
- [Provenance for Haskell](#provenance-for-haskell)

---

Expand Down Expand Up @@ -351,7 +352,7 @@ jobs:
### Provenance for Bazel
If you use [Bazel](https://bazel.build/) to generate your artifacts, you can
easily generate SLSA3 provenance by updating your existing workflow with the 4
easily generate SLSA3 provenance by updating your existing workflow with the 5
steps indicated in the workflow below:
```yaml
Expand Down Expand Up @@ -462,7 +463,7 @@ jobs:
run: |
# Your normal build workflow targets here
mvn clean package
# ======================================================
#
# Step 3: Save the location of the maven output files
Expand All @@ -484,7 +485,7 @@ jobs:
id: hash
run: |
echo "::set-output name=hashes::$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)"
- name: Upload build artifacts
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
Expand Down Expand Up @@ -541,7 +542,7 @@ jobs:
# ========================================================
#
# Step 4: Add a step to generate the provenance subjects
# Step 3: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
Expand All @@ -553,7 +554,7 @@ jobs:
id: hash
run: |
echo "::set-output name=hashes::$(sha256sum ./build/libs/* | base64 -w0)"
- name: Upload build artifacts
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
Expand All @@ -563,7 +564,7 @@ jobs:

# =========================================================
#
# Step 5: Call the generic workflow to generate provenance
# Step 4: Call the generic workflow to generate provenance
# by declaring the job below.
#
# =========================================================
Expand Down Expand Up @@ -616,7 +617,7 @@ jobs:
# ========================================================
#
# Step 4: Add a step to generate the provenance subjects
# Step 3: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
Expand All @@ -631,7 +632,75 @@ jobs:
# =========================================================
#
# Step 5: Call the generic workflow to generate provenance
# Step 4: Call the generic workflow to generate provenance
# by declaring the job below.
#
# =========================================================
provenance:
needs: [build]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true # Optional: Upload to a new release
```
### Provenance for Haskell
If you use [Haskell](https://www.haskell.org/) (either via
[`cabal`](https://www.haskell.org/cabal/) or
[`stack`](https://docs.haskellstack.org/en/stable/README/)) to generate your
artifacts, you can easily generate SLSA3 provenance by updating your existing
workflow with the steps indicated in the workflow below.

```yaml
jobs:
build:
# ==================================================
#
# Step 1: Declare an `outputs` for the hashes to be
# used during the provenance steps.
#
# ==================================================
outputs:
hashes: ${{ steps.hash.outputs.hashes }}

[...]

steps:
[...]
- name: Build using Haskell
run: |
# Your normal build workflow targets here.
cabal build # or stack build
# Copy the binary to the root directory for easier reference
# For Cabal, use the following command
cp $(cabal list-bin .) .
# For Stack, use the following command instead
# cp $(stack path --local-install-root)/bin/target_binary .
# ========================================================
#
# Step 2: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
#
# ========================================================
- name: Generate subject
id: hash
run: |
set -euo pipefail
echo "::set-output name=hashes::$(sha256sum target_binary | base64 -w0)"
# =========================================================
#
# Step 3: Call the generic workflow to generate provenance
# by declaring the job below.
#
# =========================================================
Expand Down

0 comments on commit 0f97cca

Please sign in to comment.