Skip to content

feat: add checks to determine if repo and commit came from provenance #704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 15, 2024
Merged

feat: add checks to determine if repo and commit came from provenance #704

merged 8 commits into from
May 15, 2024

Conversation

benmss
Copy link
Member

@benmss benmss commented Apr 15, 2024
edited
Loading

This PR adds a new check that succeeds if the repository URL and commit of the analysis target match those that can be extracted from the provenance. If the repository or provenance do not exist, or do not contain the needed information, or are not identical, this check will fail.

Closes #677

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 15, 2024
@benmss benmss marked this pull request as ready for review April 16, 2024 08:46
@benmss benmss requested review from behnazh-w and tromai as code owners April 16, 2024 08:46
@benmss benmss marked this pull request as draft April 19, 2024 00:32
@behnazh-w
Copy link
Member

@benmss The scope of this PR should be feat.

@benmss benmss changed the title chore: add check to determine if repo and commit came from provenance feat: add check to determine if repo and commit came from provenance Apr 29, 2024
@benmss benmss force-pushed the 677-check-repo-commit-from-provenance branch from ceb45be to a7b2a2a Compare April 30, 2024 23:01
@benmss benmss marked this pull request as ready for review May 1, 2024 01:15
@benmss benmss marked this pull request as draft May 1, 2024 23:50
@benmss benmss changed the title feat: add check to determine if repo and commit came from provenance feat: add checks to determine if repo and commit came from provenance May 7, 2024
@benmss benmss force-pushed the 677-check-repo-commit-from-provenance branch 2 times, most recently from cdec8f2 to dbfd995 Compare May 7, 2024 05:54
@benmss benmss marked this pull request as ready for review May 7, 2024 05:59
@behnazh-w behnazh-w requested a review from nicallen May 8, 2024 00:07
nicallen
nicallen reviewed May 8, 2024
View reviewed changes
nicallen
nicallen reviewed May 8, 2024
View reviewed changes
behnazh-w
behnazh-w reviewed May 8, 2024
View reviewed changes
tromai
tromai reviewed May 9, 2024
View reviewed changes
tromai
tromai reviewed May 9, 2024
View reviewed changes
tromai
tromai reviewed May 9, 2024
View reviewed changes
@benmss benmss force-pushed the 677-check-repo-commit-from-provenance branch from e5a567a to af35243 Compare May 13, 2024 02:10
benmss added 2 commits May 13, 2024 12:15
@benmss
feat: add checks to determine if repo and commit came from provenance
1d7f0e9 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: check found repo and commit against context
1279beb 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss force-pushed the 677-check-repo-commit-from-provenance branch from af35243 to 1279beb Compare May 13, 2024 02:17
tromai
tromai approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the change. LGTM.

behnazh-w
behnazh-w reviewed May 14, 2024
View reviewed changes
@behnazh-w
Copy link
Member

@benmss Please update the list of checks in docs/source/index.rst at Current checks in Macaron and run make docs-api.

@benmss
chore: rename new context attributes for clarity
a22a600 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
benmss added 3 commits May 14, 2024 15:42
@benmss
chore: update api docs for new check
6cad728 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: update context attributes in test
23be3f7 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: update attributes in checks
e0bef08 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
behnazh-w
behnazh-w reviewed May 15, 2024
View reviewed changes
benmss added 2 commits May 15, 2024 13:24
@benmss
chore: use expectation eval req for new checks
46507d4 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: remove slsa_requirements comparison from compare e2e script
a62b8d9 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss merged commit 9c44445 into staging May 15, 2024
@tromai tromai deleted the 677-check-repo-commit-from-provenance branch May 15, 2024 23:58
@behnazh-w behnazh-w mentioned this pull request Jun 26, 2024
Closed
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@benmss
feat: add checks to determine if repo and commit came from provenance (
522086a 
…#704)

This PR adds two new checks that succeed if the repository URL or commit of the analysis target match those that can be extracted from the provenance, respectively. If the repository or provenance do not exist, or do not contain the needed information, or are not identical, these checks will fail.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicallen nicallen nicallen left review comments

@behnazh-w behnazh-w behnazh-w approved these changes

+1 more reviewer

@tromai tromai tromai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@benmss @behnazh-w @nicallen @tromai