added keyless flags

CycodeLabs · Jul 22, 2024 · e9e13c6 · e9e13c6
1 parent 7bcb50c
commit e9e13c6
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 33 deletions.
diff --git a/attest/action.yml b/attest/action.yml
@@ -30,15 +30,15 @@ inputs:
     description: Input path to a private ECDSA/RSA/ED25519 key used to sign provenance statement
     required: false
     default: ''
-  allow-keyless:
+  keyless:
     description: Allow keyless signature if no signing key is provided
     required: false
     default: 'false'
-  allow-tlog-upload:
+  allow-tlog:
     description: Allow the creation of a Rekor transparency log (TLog) entry.
     required: false
     default: 'true'
-  allow-timestamp-upload:
+  allow-timestamp:
     description: Allow timestamping of the artifact signature against a timestamping authority.
     required: false
     default: 'false'

diff --git a/attest/dist/index.js b/attest/dist/index.js
@@ -10861,8 +10861,12 @@ function getActionConfig() {
             subjects: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('subjects'),
             imageRef: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('image-ref'),
             signKey: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('sign-key'),
-            allowKeyless: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('allow-keyless'),
-            allowTLogUpload: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('allow-tlog-upload'),
+            keyless: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('keyless'),
+            allowTLog: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('allow-tlog'),
+            allowTimestamp: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('allow-timestamp'),
+            fulcioServerUrl: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('fulcio-server-url'),
+            rekorServerUrl: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('rekor-server-url'),
+            timestampServerUrl: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('timestamp-server-url'),
             provenanceOutput: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('provenance-output'),
             signedProvenanceOutput: _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('signed-provenance-output'),
         },
@@ -10912,33 +10916,12 @@ async function run(config) {
         releasePath = CIMON_EXECUTABLE_PATH;
     }
 
-<<<<<<< HEAD
     if (config.attest.imageRef !== '') {
         _actions_core__WEBPACK_IMPORTED_MODULE_0__.warning(
             'image-ref parameter is deprecated and will be removed in future versions. Please use subjects parameter instead.'
         );
         config.attest.subjects = config.attest.imageRef;
     }
-=======
-    const env = {
-        ...process.env,
-        CIMON_SUBJECTS: config.attest.subjects,
-        CIMON_ATTEST_IMAGE_REF: config.attest.imageRef,
-        CIMON_SIGN_KEY: config.attest.signKey,
-        CIMON_ALLOW_KEYLESS: config.attest.allowKeyless,
-        CIMON_ALLOW_TLOG: config.attest.allowTLogUpload,
-        CIMON_PROVENANCE_OUTPUT: config.attest.provenanceOutput,
-        CIMON_SIGNED_PROVENANCE_OUTPUT: config.attest.signedProvenanceOutput,
-        CIMON_LOG_LEVEL: config.cimon.logLevel,
-        CIMON_CLIENT_ID: config.cimon.clientId,
-        CIMON_SECRET: config.cimon.secret,
-        CIMON_URL: config.cimon.url,
-        CIMON_REPORT_JOB_SUMMARY: config.report.reportJobSummary,
-        CIMON_REPORT_ARTIFACT: 'false',
-        GITHUB_CONTEXT: config.attest.githubContext,
-        GITHUB_TOKEN: config.github.token,
-    };
->>>>>>> f8904f6 (feat: added keyless signing support.)
 
     // Prepare CLI arguments conditionally
     const args = ['attest', 'generate-and-sign'];
@@ -10956,6 +10939,24 @@ async function run(config) {
     if (config.cimon.logLevel !== '')
         args.push('--log-level', config.cimon.logLevel);
     if (config.report.reportJobSummary) args.push('--report-job-summary');
+    if (config.attest.keyless) {
+        args.push('--keyless');
+
+        args.push(`--allow-tlog=${config.attest.allowTLog}`);
+        args.push(`--allow-timestamp=${config.attest.allowTimestamp}`);
+
+        if (config.attest.fulcioServerUrl !== '') {
+            args.push(`--fulcio-server-url=${config.attest.fulcioServerUrl}`);
+        }
+
+        if (config.attest.rekorServerUrl !== '') {
+            args.push(`--rekor-server-url=${config.attest.rekorServerUrl}`);
+        }
+
+        if (config.attest.timestampServerUrl !== '') {
+            args.push(`--timestamp-server-url=${config.attest.timestampServerUrl}`);
+        }
+    }
 
     await _actions_exec__WEBPACK_IMPORTED_MODULE_1__.exec(releasePath, args, {
         env: {
@@ -10972,11 +10973,7 @@ async function run(config) {
                 path__WEBPACK_IMPORTED_MODULE_4__.dirname(config.attest.provenanceOutput),
                 { continueOnError: true }
             );
-<<<<<<< HEAD
         if (config.attest.signKey !== '') {
-=======
-        if (config.attest.signKey != '' || config.attest.allowKeyless) {
->>>>>>> f8904f6 (feat: added keyless signing support.)
             _actions_artifact__WEBPACK_IMPORTED_MODULE_2__.create()
                 .uploadArtifact(
                     'signed-provenance',

diff --git a/attest/index.js b/attest/index.js
@@ -35,9 +35,12 @@ function getActionConfig() {
             subjects: core.getInput('subjects'),
             imageRef: core.getInput('image-ref'),
             signKey: core.getInput('sign-key'),
-            allowKeyless: core.getBooleanInput('allow-keyless'),
-            allowTLogUpload: core.getBooleanInput('allow-tlog-upload'),
-            allowTimestampUpload: core.getBooleanInput('allow-timestamp-upload'),
+            keyless: core.getBooleanInput('keyless'),
+            allowTLog: core.getBooleanInput('allow-tlog'),
+            allowTimestamp: core.getBooleanInput('allow-timestamp'),
+            fulcioServerUrl: core.getInput('fulcio-server-url'),
+            rekorServerUrl: core.getInput('rekor-server-url'),
+            timestampServerUrl: core.getInput('timestamp-server-url'),
             provenanceOutput: core.getInput('provenance-output'),
             signedProvenanceOutput: core.getInput('signed-provenance-output'),
         },
@@ -110,6 +113,24 @@ async function run(config) {
     if (config.cimon.logLevel !== '')
         args.push('--log-level', config.cimon.logLevel);
     if (config.report.reportJobSummary) args.push('--report-job-summary');
+    if (config.attest.keyless) {
+        args.push('--keyless');
+
+        args.push(`--allow-tlog=${config.attest.allowTLog}`);
+        args.push(`--allow-timestamp=${config.attest.allowTimestamp}`);
+
+        if (config.attest.fulcioServerUrl !== '') {
+            args.push(`--fulcio-server-url=${config.attest.fulcioServerUrl}`);
+        }
+
+        if (config.attest.rekorServerUrl !== '') {
+            args.push(`--rekor-server-url=${config.attest.rekorServerUrl}`);
+        }
+
+        if (config.attest.timestampServerUrl !== '') {
+            args.push(`--timestamp-server-url=${config.attest.timestampServerUrl}`);
+        }
+    }
 
     await exec.exec(releasePath, args, {
         env: {