Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Record vars in BYOB workflows #3636

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

feat: Record vars in BYOB workflows #3636

wants to merge 7 commits into from

Conversation

ianlewis
Copy link
Member

@ianlewis ianlewis commented May 15, 2024
edited

Summary

The vars context is converted to JSON and passed to setup-generic by the TRW in the same way that the inputs context is added. Vars are then recorded in the SLSA token. Individual vars can be masked from the provenance as well via the slsa-masked-vars field in the same way as inputs.

verify-token reads the vars from the SLSA token and includes them in the final provenance.

Note that changes to the TRW are necessary to record the vars context.

TODO:

  • Support recording vars in BYOB
  • Record vars in Node.js builder
  • Record vars in maven builder
  • Record vars in gradle builder
  • Record vars in bazel builder
  • Document changes for TRWs

Updates #1555

Testing Process

  • Add how to test.

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@ianlewis
feat: Record vars in BYOB workflows
bad9390 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Update CHANGELOG
be12446 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis ianlewis mentioned this pull request May 15, 2024
Closed
15 tasks
@ianlewis
Copy link
Member Author

  • Record vars in Node.js builder
  • Record vars in maven builder
  • Record vars in gradle builder
  • Record vars in bazel builder

Though, I think BYOB itself should support setting the vars we perhaps shouldn't set them for these builders since they don't need to be used in the TRW.

@ianlewis
Merge branch 'main' into 1555-vars-byob
5570276 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Don't pass slsa-vars in workflows
c326a5b 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Update BYOB docs
c62472e 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Update TOC
85ba8a6 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Copy link
Member Author

I'm kind of thinking we don't really care about this with BYOB for now since for builders the caller can just require users to pass vars as TRW inputs.

We will need this to support generators but we don't currently support generators anyway so it isn't urgent.

@ianlewis
refactor
557e749 
Signed-off-by: Ian Lewis <ianlewis@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon Awaiting requested review from laurentsimon laurentsimon will be requested when the pull request is marked ready for review laurentsimon is a code owner

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl will be requested when the pull request is marked ready for review joshuagl is a code owner

@kpk47 kpk47 Awaiting requested review from kpk47 kpk47 will be requested when the pull request is marked ready for review kpk47 is a code owner

@ramonpetgrave64 ramonpetgrave64 Awaiting requested review from ramonpetgrave64 ramonpetgrave64 will be requested when the pull request is marked ready for review ramonpetgrave64 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@ianlewis