Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: provenance build type v2 #6228

Merged
merged 6 commits into from
Mar 14, 2023
Merged

fix: provenance build type v2 #6228

merged 6 commits into from
Mar 14, 2023
+58 −10

Conversation

bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Mar 7, 2023
edited
Loading

Various updates to the generated provenance statement:

  • Removes forgeable provenance fields
  • Updates the materials.uri value to include the GITHUB_REF value
  • Updates the entryPoint value to include just the repo-relative path to the initiating workflow:
    github/foo/.github/workflows/publish.yml@refs/heads/main.github/workflows/publish.yml
  • Updates the builder.id and buildType fields

bdehamer added 2 commits March 7, 2023 13:00
@bdehamer
fix: remove forgeable provenance fields

Verified

This commit was signed with the committer’s verified signature.
bdehamer Brian DeHamer
SSH Key Fingerprint: Z9+BkOPKDq9DYHhpAAz7rPJudmdNJxmBxcD+Tfukcrs
Verified
Learn about vigilant mode
f001577 
Removes the following env vars from the generated package provenance:
GITHUB_ACTOR_ID, GITHUB_REF_TYPE, and GITHUB_RUN_NUMBER.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer
fix: update package provenance materials uri

Verified

This commit was signed with the committer’s verified signature.
bdehamer Brian DeHamer
SSH Key Fingerprint: Z9+BkOPKDq9DYHhpAAz7rPJudmdNJxmBxcD+Tfukcrs
Verified
Learn about vigilant mode
e819e9f 
Updates the materials.uri value in the package provenance to include the
@ref

Signed-off-by: Brian DeHamer <bdehamer@github.com>
ljharb
ljharb reviewed Mar 7, 2023
View reviewed changes
workspaces/libnpmpublish/lib/provenance.js
Comment on lines +13 to +15
const [workflowPath] = (env.GITHUB_WORKFLOW_REF || '')
.replace(env.GITHUB_REPOSITORY + '/', '')
.split('@')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are there tests that explain why this change is needed?

@bdehamer bdehamer force-pushed the bdehamer/provenance-fixup branch from 7cc0fe6 to daea47f Compare March 7, 2023 21:17
@bdehamer
Copy link
Contributor Author

bdehamer commented Mar 8, 2023

@feelepxyz thoughts on this last commit which updates the builder.id and buildType

  • builder.id changes from https://github.com/npm/cli@9.4.0 to https://github.com/actions/runner (to be augmented with actual runner type and runner version at some later date)
  • buildType remains the same but we increment the version from v1 to v2 and change the "@" to "/" to ensure URI parseability: https://github.com/npm/cli/gha/v2

@wraithgar
Copy link
Member

What does a typical GITHUB_WORKFLOW_REF look like?

@bdehamer bdehamer force-pushed the bdehamer/provenance-fixup branch from d938ea9 to 6139ae1 Compare March 10, 2023 22:05
@bdehamer
Copy link
Contributor Author

What does a typical GITHUB_WORKFLOW_REF look like?

The raw GITHUB_WORKFLOW_REF looks something like:

github/package-security/.github/workflows/dump-env.yml@refs/heads/main

and we need to extract just the repo-relative workflow path from that:

.github/workflows/dump-env.yml

bdehamer added 2 commits March 10, 2023 14:12
@bdehamer
fix: update publish provenance entryPoint value

Verified

This commit was signed with the committer’s verified signature.
bdehamer Brian DeHamer
SSH Key Fingerprint: Z9+BkOPKDq9DYHhpAAz7rPJudmdNJxmBxcD+Tfukcrs
Verified
Learn about vigilant mode
90f6b1d 
Updates the entryPoint in the generated provenance to contain just the
repo-relative path to the triggering workflow.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer
fix: update provenance builder.id and buildType

Verified

This commit was signed with the committer’s verified signature.
bdehamer Brian DeHamer
SSH Key Fingerprint: Z9+BkOPKDq9DYHhpAAz7rPJudmdNJxmBxcD+Tfukcrs
Verified
Learn about vigilant mode
128c542 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/provenance-fixup branch from 6139ae1 to 128c542 Compare March 10, 2023 22:13
@bdehamer
Copy link
Contributor Author

With these changes, the new provenance statement will look something like:

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [
    {
      "name": "pkg:npm/sigstore@1.0.0",
      "digest": {
        "sha512": "7bea9f6e7ff37f5fab0b36bf061200fff03099fd2fd696b91d04bc5e4f225eb9fd6e0cadcad54ba980f43fb352a99e8810b4e0abeb5c0ef2cf9108cd1f258b36"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "predicate": {
    "buildType": "https://github.com/npm/cli/gha/v2",
    "builder": {
      "id": "https://github.com/actions/runner"
    },
    "invocation": {
      "configSource": {
        "uri": "git+https://github.com/sigstore/sigstore-js@refs/tags/v1.0.0",
        "digest": {
          "sha1": "06528997c3c8ab9f864fad9a3658446aca7fd86d"
        },
        "entryPoint": ".github/workflows/publish.yml"
      },
      "parameters": {},
      "environment": {
        "GITHUB_EVENT_NAME": "release",
        "GITHUB_REF": "refs/tags/v1.0.0",
        "GITHUB_REPOSITORY": "sigstore/sigstore-js",
        "GITHUB_REPOSITORY_ID": "495574555",
        "GITHUB_REPOSITORY_OWNER_ID": "71096353",
        "GITHUB_RUN_ATTEMPT": "1",
        "GITHUB_RUN_ID": "4137028816",
        "GITHUB_SHA": "06528997c3c8ab9f864fad9a3658446aca7fd86d",
        "GITHUB_WORKFLOW_REF": "sigstore/sigstore-js/.github/workflows/publish.yml@refs/tags/v1.0.0",
        "GITHUB_WORKFLOW_SHA": "06528997c3c8ab9f864fad9a3658446aca7fd86d"
      }
    },
    "metadata": {
      "buildInvocationId": "4137028816-1",
      "completeness": {
        "parameters": false,
        "environment": false,
        "materials": false
      },
      "reproducible": false
    },
    "materials": [
      {
        "uri": "git+https://github.com/sigstore/sigstore-js@refs/tags/v1.0.0",
        "digest": {
          "sha1": "06528997c3c8ab9f864fad9a3658446aca7fd86d"
        }
      }
    ]
  }
}

@bdehamer bdehamer requested a review from feelepxyz March 10, 2023 22:18
@bdehamer bdehamer marked this pull request as ready for review March 10, 2023 22:19
@bdehamer bdehamer requested a review from a team as a code owner March 10, 2023 22:19
@bdehamer bdehamer requested review from wraithgar and removed request for a team March 10, 2023 22:19
@bdehamer bdehamer force-pushed the bdehamer/provenance-fixup branch 4 times, most recently from 07b2a66 to f0077aa Compare March 13, 2023 22:26
@bdehamer
test for provenance content

Verified

This commit was signed with the committer’s verified signature.
bdehamer Brian DeHamer
SSH Key Fingerprint: Z9+BkOPKDq9DYHhpAAz7rPJudmdNJxmBxcD+Tfukcrs
Verified
Learn about vigilant mode
245e055 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/provenance-fixup branch from f0077aa to 245e055 Compare March 14, 2023 15:07
@bdehamer bdehamer requested a review from wraithgar March 14, 2023 15:08
@wraithgar wraithgar changed the title fix: provenance updates fix: provenance build type v2 Mar 14, 2023
feelepxyz
feelepxyz approved these changes Mar 14, 2023
View reviewed changes
Copy link
Contributor

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor spec copy, otherwise LGTM 👍

@bdehamer @feelepxyz
Update workspaces/libnpmpublish/test/publish.js

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
aadfab6 
Co-authored-by: Philip Harrison <philip@mailharrison.com>
@nlf nlf merged commit 17adfb7 into latest Mar 14, 2023
@nlf nlf deleted the bdehamer/provenance-fixup branch March 14, 2023 21:08
@github-actions github-actions bot mentioned this pull request Mar 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb

@feelepxyz feelepxyz

@wraithgar wraithgar

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@bdehamer @wraithgar @feelepxyz @ljharb @nlf