feat: Update nodejs builder to use BYOB (#1667)

Updates the nodejs builder to use BYOB. Publishing to npmjs.com will be done on a separate PR. --------- Signed-off-by: Ian Lewis <ianlewis@google.com>
slsa-framework · Feb 24, 2023 · 478820e · 478820e
1 parent 4ed6a51
commit 478820e
Show file tree

Hide file tree

Showing 11 changed files with 214 additions and 623 deletions.
diff --git a/.github/workflows/builder_nodejs_slsa3.yml b/.github/workflows/builder_nodejs_slsa3.yml
diff --git a/.github/workflows/delegator_generic_slsa3.yml b/.github/workflows/delegator_generic_slsa3.yml
@@ -161,7 +161,6 @@ jobs:
  echo "ACTION_PATH=$ACTION_PATH"
  tree
 
-
  - name: Checkout the project repository
  uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
 

diff --git a/internal/builders/nodejs/README.md b/internal/builders/nodejs/README.md
@@ -0,0 +1 @@
+# Generation of SLSA3+ provenance for npm packages
diff --git a/internal/builders/nodejs/attest.go b/internal/builders/nodejs/attest.go
diff --git a/internal/builders/nodejs/build.go b/internal/builders/nodejs/build.go
diff --git a/internal/builders/nodejs/main.go b/internal/builders/nodejs/main.go
diff --git a/internal/builders/nodejs/publish.go b/internal/builders/nodejs/publish.go
diff --git a/internal/builders/nodejs/version.go b/internal/builders/nodejs/version.go
diff --git a/internal/nodejs-action/action.yml b/internal/nodejs-action/action.yml
@@ -0,0 +1,77 @@
+name: SLSA3 Builder internal wrapper
+description: SLSA3 Builder internal wrapper
+
+inputs:
+ slsa-workflow-inputs:
+ description: "All the inputs formatted as a JSON map"
+ type: string
+ required: true
+
+ slsa-layout-file:
+ description: "Location to store the layout content"
+ type: string
+ required: true
+
+ slsa-workflow-secret1:
+ description: "secret1 is unused"
+ type: string
+ required: false
+
+ slsa-workflow-secret2:
+ description: "secret2 is unused"
+ type: string
+ required: false
+
+runs:
+ using: "composite"
+ steps:
+ # NOTE: the repository is already cloned by the caller, so there's no need to
+ # checkout ourselves.
+
+ - name: Setup Node
+ uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+ with:
+ always-auth: ${{ fromJson(inputs.slsa-workflow-inputs).always-auth }}
+ node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }}
+ node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }}
+ registry-url: ${{ fromJson(inputs.slsa-workflow-inputs).registry-url }}
+ scope: ${{ fromJson(inputs.slsa-workflow-inputs).scope }}
+ # TODO(#1679): cache dependencies.
+ # cache: npm
+ # NOTE: cache-dependency-path needs to be validated to be a subdirectory of GITHUB_WORKSPACE.
+ # cache-dependency-path:
+
+ # NOTE: the default npm lists incorrect filenames in the output of 'npm pack --json'. This is fixed in later versions.
+ - id: update-npm
+ shell: bash
+ run: |
+ npm install -g npm@9.5.0
+
+ - id: build
+ env:
+ UNTRUSTED_DIRECTORY: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+ UNTRUSTED_RUN_SCRIPTS: ${{ fromJson(inputs.slsa-workflow-inputs).run-scripts }}
+ shell: bash
+ run: |
+ ./../__TOOL_ACTION_DIR__/build.sh
+
+ - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+ with:
+ name: package.tgz
+ path: ${{ steps.build.outputs.filename }}
+ if-no-files-found: error
+ retention-days: 5
+
+ # NOTE: Here we create a JSON file that describes the attestations we want
+ # to create. Each attestation will be created as a separate file,
+ # each with the subjects specified. This allows complicated release
+ # pipelines that output many artifacts to organize the attestations
+ # for those artifacts in a flexible way.
+ - name: Generate layout file
+ id: generate-layout
+ env:
+ SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
+ PACK_JSON: ${{ steps.build.outputs.pack_json }}
+ shell: bash
+ run: |
+ ./../__TOOL_ACTION_DIR__/generate-layout.sh