Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: update ref #1086

Merged
merged 5 commits into from
Oct 20, 2022
Merged

feat: update ref #1086

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f06cc26
update
laurentsimon Oct 19, 2022
e7cb4fd
update
laurentsimon Oct 20, 2022
f75c395
update
laurentsimon Oct 20, 2022
9cbc98d
update
laurentsimon Oct 20, 2022
d5279a0
update
laurentsimon Oct 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 22 additions & 14 deletions .github/actions/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,37 @@
# Internal Action Development

## Internal Actions
Although the Actions are hosted on the same repository, we consider them "external": they are not called via:
## External Actions
The following Actions:
- detect-workflow
- privacy-check
- rng
- secure-builder-checkout
- generate-builder

are considered "external" even though they are hosted on the same repository: they are not called via:

```././github/actions/name```

but instead via their "fully-qualified" name:

```slsa-framework/slsa-github-generator/.github/actions/name@hash```.
```slsa-framework/slsa-github-generator/.github/actions/name@vX.Y.Z```.

We do this because the Actions are part of the builder, whereas the workflow runs in the "context" of the calling repository.

## Checkout Rules
Actions that are called with a copy of the calling repository on disk (`actions/checkout` for the calling repository)
should *NEVER* "checkout" the builder's repository, because it creates interference with the calling repository
and is difficult to get right.

In particular, *composite actions* need should not invoke script files stored in the git repository. Only inline scripts are permitted under these rules.
These Action *MUST* be pinned with the release tag for consistency.

## Internal Actions

Other Actions are called via:

```././github/actions/name```

In general, Actions that need to "checkout" their code should use [Dockerfile](https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action) or [nodejs](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)-type projects "compiled" with [ncc](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action#commit-tag-and-push-your-action-to-github). An example of such an Action
is the `./github/actions/detect-workflow` Action.
and always require a checkout of the builder repository before being called.
The `secure-builder-checkout` is always used to checkout the builder repository
at `__BUILDER_CHECKOUT_DIR__` location. The `secure-project-checkout-*` checkout
the project to build at the location `__PROJECT_CHECKOUT_DIR__`.

There is one exception today: the `./github/actions/generate-builder` Action. It "checkouts" its own code and is allowed to do it
because it does so in a job that never "checkouts" the calling repository. (Note: the code will be migrated to
a Dockerfile or nodejs-type projects in the future).
These Actions are *composite actions*. They invoke scripts and also call other Actions.

## Development

Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/builder_go_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ jobs:
steps:
- name: Generate builder binary
id: generate
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -145,7 +145,7 @@ jobs:
needs: [privacy-check, builder, rng]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -176,8 +176,8 @@ jobs:

# Note: this outputs information about resolved arguments, etc.
# the values are trusted because the compiler is not invoked.
echo "../$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"
"../$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"
echo "$GITHUB_WORKSPACE/$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"
"$GITHUB_WORKSPACE/$BUILDER_BINARY" build --dry "$CONFIG_FILE" "$UNTRUSTED_ENVS"

###################################################################
# #
Expand All @@ -191,7 +191,7 @@ jobs:
needs: [privacy-check, builder, build-dry, rng]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -241,12 +241,12 @@ jobs:
# Disable set-output command.
echo "::stop-commands::`echo -n ${{ github.token }} | sha256sum | head -c 64`"

echo "../$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"
echo "$GITHUB_WORKSPACE/$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"
# Note: We need to provide the asbolute path to the output binary.
export OUTPUT_BINARY="$PWD/${{ env.GENERATED_BINARY_NAME }}"
../"$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"
"$GITHUB_WORKSPACE/$BUILDER_BINARY" build "$CONFIG_FILE" "$UNTRUSTED_ENVS"

mv "${{ env.GENERATED_BINARY_NAME }}" "../$UNTRUSTED_BINARY_NAME"
mv "${{ env.GENERATED_BINARY_NAME }}" "$GITHUB_WORKSPACE/$UNTRUSTED_BINARY_NAME"

- name: Upload generated binary
id: upload
Expand All @@ -272,7 +272,7 @@ jobs:
go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -330,7 +330,7 @@ jobs:
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down
21 changes: 13 additions & 8 deletions .github/workflows/builder_node_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ jobs:
steps:
- name: Generate builder
id: generate
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -203,7 +203,7 @@ jobs:
needs: [privacy-check, builder, rng]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand All @@ -229,33 +229,36 @@ jobs:
set-executable: true

- name: Download dependencies
working-directory: __PROJECT_CHECKOUT_DIR__
env:
UNTRUSTED_CI_ARGUMENTS: "${{ inputs.ci-arguments }}"
UNTRUSTED_DIR: ${{ inputs.directory }}"
run: |
set -euo pipefail

# npm ci <args>
./"$BUILDER_BINARY" ci \
"$GITHUB_WORKSPACE/$BUILDER_BINARY" ci \
--ci-arguments "$UNTRUSTED_CI_ARGUMENTS" \
--directory "$UNTRUSTED_DIR"

# TODO(hermeticity) Enable OS-level hermeticity.

- name: Build project
working-directory: __PROJECT_CHECKOUT_DIR__
env:
UNTRUSTED_RUN_SCRIPTS: "${{ inputs.run-scripts }}"
UNTRUSTED_DIR: ${{ inputs.directory }}"
run: |
set -euo pipefail

# npm run <args>
./"$BUILDER_BINARY" run \
"$GITHUB_WORKSPACE/$BUILDER_BINARY" run \
--run-scripts "$UNTRUSTED_RUN_SCRIPTS" \
--directory "$UNTRUSTED_DIR"

- name: Create tarball
id: tarball
working-directory: __PROJECT_CHECKOUT_DIR__
env:
UNTRUSTED_DIR: ${{ inputs.directory }}"
run: |
Expand All @@ -268,7 +271,7 @@ jobs:
# files and their hashes, so that we can identify the new file without the need to parse
# the manifest.json.
# echo "npm pack --pack-destination="./out"
./"$BUILDER_BINARY" pack \
"$GITHUB_WORKSPACE/$BUILDER_BINARY" pack \
--directory "$UNTRUSTED_DIR"

# cp output into upper folder to make the tarball accessible to
Expand Down Expand Up @@ -299,7 +302,7 @@ jobs:
node-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -356,7 +359,7 @@ jobs:
needs: [build, provenance]
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand All @@ -371,6 +374,7 @@ jobs:
token: ${{ inputs.token }}
always-auth: ${{ inputs.always-auth }}
registry-url: ${{ inputs.registry-url }}
path: __PROJECT_CHECKOUT_DIR__

- name: Download binary
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-download-artifact
Expand All @@ -395,12 +399,13 @@ jobs:
set-executable: true

- name: Publish
working-directory: __PROJECT_CHECKOUT_DIR__
env:
UNTRUSTED_PUBLISH_ARGUMENTS: "${{ inputs.publish-arguments }}"
run: |
set -euo pipefail

# echo "npm publish ${{ inputs.publish-arguments }}"
./"$BUILDER_BINARY" publish \
"$GITHUB_WORKSPACE/$BUILDER_BINARY" publish \
--publish-arguments "$UNTRUSTED_PUBLISH_ARGUMENTS" \
--directory "$UNTRUSTED_DIR"
2 changes: 1 addition & 1 deletion .github/workflows/generator_container_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ jobs:
packages: write # Needed to login and upload attestations to ghcr.io.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/generator_generic_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ jobs:
actions: read # Needed to read workflow info.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down Expand Up @@ -169,7 +169,7 @@ jobs:
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@d4dfd59f2bae3c72eb8a499f13a12ee75d8df14e
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@923a5a249d2ea820614a80486c9ef0857ced5321
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
Expand Down