Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add source to container-based predicate's resolveddependencies & fix internalParams #2183

Merged
merged 4 commits into from
May 29, 2023
Merged

fix: add source to container-based predicate's resolveddependencies & fix internalParams #2183

merged 4 commits into from
May 29, 2023

Conversation

asraa
Copy link
Collaborator

@asraa asraa commented May 26, 2023
edited
Loading

Fixes #2182

This ensures that the source dependency comes first in the list of resolved dependencies. This way, the verifier can identify the correct source.

This will fix the container based e2e tests.

Also took the opportunity to clean up the predicate's internal paremeters - no more github runner or other invalid fields.

@asraa
fix: add source annotations to container-based predicate's resolved s…
84ea64f 
…ource dep

Signed-off-by: Asra Ali <asraa@google.com>
asraa added 2 commits May 26, 2023 11:01
@asraa
fix golint and expected value
e711c67 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
fix eslint
5880998 
Signed-off-by: Asra Ali <asraa@google.com>
laurentsimon
laurentsimon reviewed May 26, 2023
View reviewed changes
Copy link
Collaborator

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. I'm curious why we need an annotation if the buildType always adds it as the first resolvedDependencies instead.

@asraa
Copy link
Collaborator Author

asraa commented May 26, 2023

LGTM overall. I'm curious why we need an annotation if the buildType always adds it as the first resolvedDependencies instead.

We can do that, but is that too brittle? the resolved dependencies is explicitly supposed to be an unordered collection according to slsa spec.

@asraa
revert source annotation
bae23ec 
Signed-off-by: Asra Ali <asraa@google.com>

revert script

Signed-off-by: Asra Ali <asraa@google.com>
@asraa asraa changed the title fix: add source annotations to container-based predicate's resolveddependencies fix: add source to container-based predicate's resolveddependencies & fix internalParams May 26, 2023
@asraa
Copy link
Collaborator Author

asraa commented May 26, 2023

Per resolution offline, let's keep uniformly as first resolvedDeps until we have a universal solution.

@asraa asraa merged commit 1579332 into slsa-framework:main May 29, 2023
laurentsimon pushed a commit to laurentsimon/slsa-github-generator that referenced this pull request Jun 1, 2023
@asraa @laurentsimon
fix: add source to container-based predicate's resolveddependencies &…
bb7e018 
… fix internalParams (slsa-framework#2183)

Fixes
slsa-framework#2182

This ensures that the source dependency comes first in the list of
resolved dependencies. This way, the verifier can identify the correct
source.

This will fix the container based e2e tests.

Also took the opportunity to clean up the predicate's internal
paremeters - no more github runner or other invalid fields.

---------

Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

@ianlewis ianlewis Awaiting requested review from ianlewis

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@asraa @laurentsimon