Skip to content

Commit

Permalink
Add documentation for private-repository input (#1165)
Browse files Browse the repository at this point in the history 
* Add documentation for private-repository input

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Fix input table

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add more extensive docs on private repositories

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Update private-repository input doc

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add links

Signed-off-by: Ian Lewis <ianlewis@google.com>

Signed-off-by: Ian Lewis <ianlewis@google.com>
  • Loading branch information
@ianlewis
ianlewis committed Oct 27, 2022
1 parent d6404fa commit b69172f
Show file tree
Hide file tree
Showing 3 changed files with 117 additions and 42 deletions.
38 changes: 32 additions & 6 deletions internal/builders/container/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ project simply generates provenance as a separate step in an existing workflow.
- [Generating Provenance](#generating-provenance)
- [Getting Started](#getting-started)
- [Referencing the SLSA generator](#referencing-the-slsa-generator)
- [Private Repositories](#private-repositories)
- [Supported Triggers](#supported-triggers)
- [Workflow Inputs](#workflow-inputs)
- [Provenance Format](#provenance-format)
Expand Down Expand Up @@ -149,13 +150,37 @@ jobs:
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
```
### Referencing the SLSA generator
At present, the generator **MUST** be referenced
by a tag of the form `@vX.Y.Z`, because the build will fail if you reference it via a shorter tag like `@vX.Y` or `@vX` or if you reference it by a hash.

For more information about this design decision and how to configure renovatebot,see the main repository [README.md](../../../README.md).

### Private Repositories

Private repositories are supported with some caveats. Currently all builds
generate and post a new entry in the public
[Rekor](https://github.com/sigstore/rekor) API server instance at
rekor.sigstore.dev. This entry includes the repository name. This will cause the
private repository name to leak and be discoverable via the public Rekor API
server.

If this is ok with you, you can set the `private-repository` flag in order to
opt in to publishing to the public Rekor instance from a private repository.

```yaml
with:
private-repository: true
```

If you do not set this flag then private repositories will generate an error in
order to prevent leaking repository name information.

Support for private transparency log instances that would not leak repository
name information is tracked on [issue #372](https://github.com/slsa-framework/slsa-github-generator/issues/372).

### Supported Triggers

The following [GitHub trigger events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) are fully supported and tested:
Expand All @@ -177,12 +202,13 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator

Inputs:

| Name | Required | Description |
| ------------------- | -------- | --------------------------------------------------------------------------------------------------- |
| `image` | yes | The OCI image name. This must not include a tag or digest. |
| `digest` | yes | The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...') |
| `registry-username` | yes | Username to log into the container registry. |
| `compile-generator` | false | Whether to build the generator from source. This increases build time by ~2m. |
| Name | Required | Default | Description |
| -------------------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `image` | yes | | The OCI image name. This must not include a tag or digest. |
| `digest` | yes | | The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...') |
| `registry-username` | yes | | Username to log into the container registry. |
| `compile-generator` | false | false | Whether to build the generator from source. This increases build time by ~2m. |
| `private-repository` | no | false | Set to true to opt-in to posting to the public transparency log. Will generate an error if false for private repositories. This input has no effect for public repositories. See [Private Repositories](#private-repositories). |

Secrets:

Expand Down
39 changes: 32 additions & 7 deletions internal/builders/generic/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ project simply generates provenance as a separate step in an existing workflow.
- [Generating Provenance](#generating-provenance)
- [Getting Started](#getting-started)
- [Referencing the SLSA generator](#referencing-the-slsa-generator)
- [Private Repositories](#private-repositories)
- [Supported Triggers](#supported-triggers)
- [Workflow Inputs](#workflow-inputs)
- [Workflow Outputs](#workflow-outputs)
Expand Down Expand Up @@ -81,7 +82,7 @@ provenance:
base64-subjects: "${{ needs.build.outputs.hashes }}"
```
**Note**: Make sure that you reference the generator with a semantic version of the form `@vX.Y.Z`.
**Note**: Make sure that you reference the generator with a semantic version of the form `@vX.Y.Z`.
More information [here](/README.md#referencing-slsa-builders-and-generators).

Here's an example of what it might look like all together.
Expand Down Expand Up @@ -170,6 +171,29 @@ by a tag of the form `@vX.Y.Z`, because the build will fail if you reference it

For more information about this design decision and how to configure renovatebot,see the main repository [README.md](../../../README.md).

### Private Repositories

Private repositories are supported with some caveats. Currently all builds
generate and post a new entry in the public
[Rekor](https://github.com/sigstore/rekor) API server instance at
rekor.sigstore.dev. This entry includes the repository name. This will cause the
private repository name to leak and be discoverable via the public Rekor API
server.

If this is ok with you, you can set the `private-repository` flag in order to
opt in to publishing to the public Rekor instance from a private repository.

```yaml
with:
private-repository: true
```

If you do not set this flag then private repositories will generate an error in
order to prevent leaking repository name information.

Support for private transparency log instances that would not leak repository
name information is tracked on [issue #372](https://github.com/slsa-framework/slsa-github-generator/issues/372).

### Supported Triggers

The following [GitHub trigger events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) are fully supported and tested:
Expand All @@ -189,12 +213,13 @@ issue](https://github.com/slsa-framework/slsa-github-generator/issues/new/choose

The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) accepts the following inputs:

| Name | Required | Default | Description |
| ------------------ | -------- | ----------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `base64-subjects` | yes | | Artifact(s) for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\n[...]) and base64 encoded. The encoded value should decode to, for example: `90f3f7d6c862883ab9d856563a81ea6466eb1123b55bff11198b4ed0030cac86 foo.zip` |
| `upload-assets` | no | false | If true provenance is uploaded to a GitHub release for new tags. |
| `provenance-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. |
| `attestation-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. DEPRECATED: use `provenance-name` instead. |
| Name | Required | Default | Description |
| -------------------- | -------- | ----------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `base64-subjects` | yes | | Artifact(s) for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\n[...]) and base64 encoded. The encoded value should decode to, for example: `90f3f7d6c862883ab9d856563a81ea6466eb1123b55bff11198b4ed0030cac86 foo.zip` |
| `upload-assets` | no | false | If true provenance is uploaded to a GitHub release for new tags. |
| `provenance-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. |
| `attestation-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. DEPRECATED: use `provenance-name` instead. |
| `private-repository` | no | false | Set to true to opt-in to posting to the public transparency log. Will generate an error if false for private repositories. This input has no effect for public repositories. See [Private Repositories](#private-repositories). |

### Workflow Outputs

Expand Down
Loading

0 comments on commit b69172f

Please sign in to comment.