feat: setup-token Action for BYOB (#1392)

* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update actions/setup-token/action.yml Co-authored-by: asraa <asraa@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * Update actions/setup-token/src/main.ts Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * Update actions/setup-token/action.yml Co-authored-by: asraa <asraa@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * Update actions/setup-token/action.yml Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * Update actions/setup-token/action.yml Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * Update actions/setup-token/action.yml Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * Update actions/setup-token/action.yml Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: asraa <asraa@google.com> Co-authored-by: Ian Lewis <ianlewis@google.com>
slsa-framework · Dec 27, 2022 · 3ab21e9 · 3ab21e9
1 parent 03e66ca
commit 3ab21e9
Show file tree

Hide file tree

Showing 17 changed files with 50,960 additions and 6 deletions.
diff --git a/.github/actions/compute-sha256/package.json b/.github/actions/compute-sha256/package.json
@@ -10,7 +10,7 @@
     "format-check": "prettier --check '**/*.ts'",
     "package": "ncc build --source-map",
     "lint": "eslint src/**/*.ts",
-    "all": "npm run build && npm run format && npm run lint && npm run package"
+    "all": "npm run format && npm run lint && npm run build && npm run package"
   },
   "keywords": [
     "actions",

diff --git a/.github/actions/privacy-check/package.json b/.github/actions/privacy-check/package.json
@@ -10,7 +10,7 @@
     "format-check": "prettier --check '**/*.ts'",
     "package": "ncc build --source-map",
     "lint": "eslint src/**/*.ts",
-    "all": "npm run build && npm run format && npm run lint && npm run package"
+    "all": "npm run format && npm run lint && npm run build && npm run package"
   },
   "keywords": [
     "actions",

diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
@@ -19,7 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        action: [compute-sha256, privacy-check]
+        action:
+          - .github/actions/compute-sha256
+          - .github/actions/privacy-check
+          - ./actions/setup-token
     steps:
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
 
@@ -29,11 +32,11 @@ jobs:
           node-version: 16
 
       - name: Rebuild the dist/ directory
-        working-directory: .github/actions/${{ matrix.action }}
+        working-directory: ${{ matrix.action }}
         run: make package
 
       - name: Compare the expected and actual dist/ directories
-        working-directory: .github/actions/${{ matrix.action }}
+        working-directory: ${{ matrix.action }}
         id: diff
         run: |
           set -euo pipefail
@@ -93,6 +96,22 @@ jobs:
           echo "Got output: $OUTPUT"
           [[ "$OUTPUT" != "" ]]
 
+  setup-token:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+      - id: setup
+        uses: ./actions/setup-token
+        with:
+          slsa-workflow-recipient: "delegator_generic_slsa3.yml"
+          slsa-private-repository: true
+          slsa-runner-label: "ubuntu-latest"
+          slsa-build-action-path: "./actions/build-artifacts-composite"
+          slsa-workflow-inputs: '{"name1":"value1","name2":"value2","private-repository":true}'
+      - env:
+          SLSA_TOKEN: ${{ steps.setup.outputs.slsa-token }}
+        run: ./.github/workflows/scripts/pre-submit.actions/setup-token.sh
+
   references:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/scripts/pre-submit.actions/references.sh b/.github/workflows/scripts/pre-submit.actions/references.sh
@@ -18,4 +18,3 @@ if [[ "$results" != "" ]]; then
     echo "$results"
     exit 1
 fi
-
diff --git a/.github/workflows/scripts/pre-submit.actions/setup-token.sh b/.github/workflows/scripts/pre-submit.actions/setup-token.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source "./.github/workflows/scripts/assert.sh"
+
+# NOTE: this is a pre-submit, so the signature is not generated and there is
+# just a place holder for it.
+echo "SLSA_TOKEN: $SLSA_TOKEN"
+[[ "$SLSA_TOKEN" != "" ]]
+
+b64_token=$(echo -n "$SLSA_TOKEN" | cut -d '.' -f2)
+echo "b64_token:"
+echo "$b64_token"
+
+decoded_token=$(echo "$b64_token" | base64 -d)
+echo "decoded_token:"
+echo "$decoded_token"
+
+# Non-GitHub's information.
+audience=$(echo "$decoded_token" | jq -r '.builder.audience')
+runner_label=$(echo "$decoded_token" | jq -r '.builder.runner_label')
+private_repository=$(echo "$decoded_token" | jq -r '.builder.private_repository')
+action_path=$(echo "$decoded_token" | jq -r '.tool.actions.build_artifacts.path')
+inputs=$(echo "$decoded_token" | jq -rc '.tool.inputs')
+
+# GitHub's information.
+run_attempt=$(echo "$decoded_token" | jq -r '.github.run_attempt')
+run_id=$(echo "$decoded_token" | jq -r '.github.run_id')
+run_number=$(echo "$decoded_token" | jq -r '.github.run_number')
+sha=$(echo "$decoded_token" | jq -r '.github.sha')
+workflow=$(echo "$decoded_token" | jq -r '.github.workflow')
+event_name=$(echo "$decoded_token" | jq -r '.github.event_name')
+repository=$(echo "$decoded_token" | jq -r '.github.repository')
+repository_owner=$(echo "$decoded_token" | jq -r '.github.repository_owner')
+ref=$(echo "$decoded_token" | jq -r '.github.ref')
+ref_type=$(echo "$decoded_token" | jq -r '.github.ref_type')
+actor=$(echo "$decoded_token" | jq -r '.github.actor')
+
+assert_eq "delegator_generic_slsa3.yml", "$audience"
+assert_eq "$GITHUB_RUN_ATTEMPT", "$run_attempt"
+assert_eq "$GITHUB_RUN_NUMBER", "$run_number"
+assert_eq "$GITHUB_RUN_ID", "$run_id"
+assert_eq "$GITHUB_SHA", "$sha"
+assert_eq "$GITHUB_WORKFLOW", "$workflow"
+assert_eq "ubuntu-latest", "$runner_label"
+assert_eq "true", "$private_repository"
+assert_eq "./actions/build-artifacts-composite", "$action_path"
+assert_eq '{"name1":"value1","name2":"value2","private-repository":true}', "$inputs"
+assert_eq "$GITHUB_EVENT_NAME", "$event_name"
+assert_eq "$GITHUB_REPOSITORY", "$repository"
+assert_eq "$GITHUB_REPOSITORY_OWNER", "$repository_owner"
+assert_eq "$GITHUB_REF", "$ref"
+assert_eq "$GITHUB_REF_TYPE", "$ref_type"
+assert_eq "$GITHUB_ACTOR", "$actor"
diff --git a/actions/setup-token/.eslintignore b/actions/setup-token/.eslintignore
@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/
diff --git a/actions/setup-token/.eslintrc.json b/actions/setup-token/.eslintrc.json
@@ -0,0 +1,53 @@
+{
+  "plugins": ["@typescript-eslint"],
+  "extends": ["plugin:github/recommended"],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": 9,
+    "sourceType": "module",
+    "project": "./tsconfig.json"
+  },
+  "rules": {
+    "i18n-text/no-en": "off",
+    "eslint-comments/no-use": "off",
+    "import/no-namespace": "off",
+    "no-unused-vars": "off",
+    "@typescript-eslint/no-unused-vars": "error",
+    "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+    "@typescript-eslint/no-require-imports": "error",
+    "@typescript-eslint/array-type": "error",
+    "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/ban-ts-comment": "error",
+    "camelcase": "off",
+    "@typescript-eslint/consistent-type-assertions": "error",
+    "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+    "@typescript-eslint/func-call-spacing": ["error", "never"],
+    "@typescript-eslint/no-array-constructor": "error",
+    "@typescript-eslint/no-empty-interface": "error",
+    "@typescript-eslint/no-explicit-any": "error",
+    "@typescript-eslint/no-extraneous-class": "error",
+    "@typescript-eslint/no-for-in-array": "error",
+    "@typescript-eslint/no-inferrable-types": "error",
+    "@typescript-eslint/no-misused-new": "error",
+    "@typescript-eslint/no-namespace": "error",
+    "@typescript-eslint/no-non-null-assertion": "warn",
+    "@typescript-eslint/no-unnecessary-qualifier": "error",
+    "@typescript-eslint/no-unnecessary-type-assertion": "error",
+    "@typescript-eslint/no-useless-constructor": "error",
+    "@typescript-eslint/no-var-requires": "error",
+    "@typescript-eslint/prefer-for-of": "warn",
+    "@typescript-eslint/prefer-function-type": "warn",
+    "@typescript-eslint/prefer-includes": "error",
+    "@typescript-eslint/prefer-string-starts-ends-with": "error",
+    "@typescript-eslint/promise-function-async": "error",
+    "@typescript-eslint/require-array-sort-compare": "error",
+    "@typescript-eslint/restrict-plus-operands": "error",
+    "semi": "off",
+    "@typescript-eslint/type-annotation-spacing": "error",
+    "@typescript-eslint/unbound-method": "error"
+  },
+  "env": {
+    "node": true,
+    "es6": true
+  }
+}
diff --git a/actions/setup-token/.prettierignore b/actions/setup-token/.prettierignore
@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/
diff --git a/actions/setup-token/Makefile b/actions/setup-token/Makefile
@@ -0,0 +1,41 @@
+SHELL := /bin/bash
+
+.PHONY: help
+help: ## Shows all targets and help from the Makefile (this message).
+	@echo "privacy-check Makefile"
+	@echo "Usage: make [COMMAND]"
+	@echo ""
+	@grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = "(:.*?|)## ?"}; { \
+			if (length($$1) > 0) { \
+				printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2; \
+			} else { \
+				if (length($$2) > 0) { \
+					printf "%s\n", $$2; \
+				} \
+			} \
+		}'
+
+node_modules/.installed: package.json package-lock.json
+	npm ci
+	touch node_modules/.installed
+
+.PHONY: action
+action: node_modules/.installed ## Builds the action.
+	npm run build
+
+.PHONY: package
+package: node_modules/.installed ## Builds the distribution package.
+	npm run all
+
+.PHONY: clean
+clean:
+	rm -rf dist lib node_modules
+
+## Testing
+#####################################################################
+
+.PHONY: lint
+lint: node_modules/.installed ## Runs eslint.
+	npm run lint
+
diff --git a/actions/setup-token/action.yml b/actions/setup-token/action.yml
@@ -0,0 +1,51 @@
+name: setup token
+
+description: 'setup token'
+
+inputs:
+  slsa-workflow-recipient:
+    description: >
+      The workflow filename that this token is intended for.
+
+      Example: delegator_generic_slsa3.yml
+    type: string
+    required: true
+
+  slsa-private-repository:
+    description: "If true, private repositories can post to the public transparency log."
+    required: false
+    type: boolean
+    default: false
+
+  slsa-build-action-path:
+    description: >
+      The action path to invoke, from the root of the repository where this action is invoked
+      Example: ./actions/build-artifacts'
+    type: string
+    required: true
+
+  slsa-runner-label:
+    description: >
+      The runner label to run the callback Action (`slsa-build-action-path`) on.
+    type: choice
+    options:
+      - ubuntu-latest
+    required: true
+
+  slsa-workflow-inputs:
+    description: >
+      A JSON object containing the inputs to the Tool Reusable Workflow (TRW).
+      The inputs will be recorded in the provenance as the builder's inputs and
+      passed to the tool's build Action.
+
+      Note: The TRW is the reusable workflow calling this Action.
+    type: string
+    required: true
+
+outputs:
+  slsa-token:
+    description: "SLSA token"
+
+runs:
+  using: 'node16'
+  main: 'dist/index.js'