Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature][byob] Distinguish between user inputs and TRW inputs #1737

Closed
laurentsimon opened this issue Mar 3, 2023 · 9 comments · Fixed by #1917
Closed

[feature][byob] Distinguish between user inputs and TRW inputs #1737

laurentsimon opened this issue Mar 3, 2023 · 9 comments · Fixed by #1917
Assignees
@laurentsimon
Labels
area:BYOB An issue with the BYOB framework type:feature New feature or request
Milestone
BYOB framework pr...

Comments

@laurentsimon
Copy link
Collaborator

laurentsimon commented Mar 3, 2023
edited by ianlewis
Loading

See actions/runner#2274

We could:

  1. Ask TRW writers to give a list of inputs. This is error prone, especially when TRW writers start updating their inputs.
  2. Compare the TRW inputs (in the token) with those in the workflow_dispatch event. This does not work if some TRW inputs have the same name as the workflow_dispatch
  3. Read the TRW workflow and parse it, keep only the fields from the slsa-token that are defined in the workflow.
@laurentsimon laurentsimon added type:feature New feature or request status:triage Issue that has not been triaged area:BYOB An issue with the BYOB framework and removed status:triage Issue that has not been triaged labels Mar 3, 2023
@ianlewis
Copy link
Member

ianlewis commented Mar 6, 2023
edited
Loading

Compare the TRW inputs (in the token) with those in the workflow_dispatch event.

Would the TRW's inputs not presumably be polluted by the calling workflow's inputs in this case as well?

This does not work if some TRW inputs have the same name as the workflow_dispatch

What happens in this case? Is one overwritten by the other?

@asraa
Copy link
Collaborator

asraa commented Mar 6, 2023

What happens in this case? Is one overwritten by the other?

I'm guessing that if, say, there was an input-a detected in the delegator, and an input-a in the slsa-token, we have no way to tell whether that input-a was ONLY the calling workflow's workflow_dispatch input, or whether it was also a TRW input.

@laurentsimon
Copy link
Collaborator Author

Looks like there is on.workflow_call.inputs we can use. I have not confirmed, but this would mean the only necessary change is for TRWs to use toJson(on.workflow_call.inputs) instead of toJson(inputs)

@ianlewis
Copy link
Member

ianlewis commented Mar 7, 2023
edited
Loading

Looks like there is on.workflow_call.inputs we can use. I have not confirmed, but this would mean the only necessary change is for TRWs to use toJson(on.workflow_call.inputs) instead of toJson(inputs)

The reply on the other bug is basically your option 3. This doesn't exist as a context that passed at runtime.

@laurentsimon laurentsimon self-assigned this Mar 9, 2023
@ianlewis ianlewis added this to the BYOB framework milestone Mar 10, 2023
@laurentsimon
Copy link
Collaborator Author

laurentsimon commented Mar 10, 2023
edited
Loading

I think we need the Fulcio claims to be available to do this. The certificate contains the GITHUB_SHA of the project, but not the sha of the TRW, ie the workflow_sha is not present in Fulcio certs yet (it's only present in OIDC token). We need sigstore/fulcio#945 to land.
@haydentherapper when do you think it will be implemented?

@haydentherapper
Copy link
Contributor

Working on it currently! Hoping in a couple weeks, it's pretty straightforward.

@laurentsimon
Copy link
Collaborator Author

Awesome, please ping us here when it's landed if you can

@laurentsimon
Copy link
Collaborator Author

The PR got merged, and @haydentherapper will put it in staging, so we may be able to test it. @haydentherapper What's the fulcio URL / TUF to test against?

@haydentherapper
Copy link
Contributor

https://docs.sigstore.dev/cosign/keyless/#public-staging-environment - fulcio.sigstage.dev, and tuf-root-staging for the staging bucket.

@laurentsimon laurentsimon mentioned this issue Apr 4, 2023
Merged
laurentsimon added a commit that referenced this issue Apr 13, 2023
@laurentsimon
feat: Distinguish between reusable workflow inputs and trigger workfl…
dd5e342 
…ow inputs (#1917)

closes
#1737

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@laurentsimon laurentsimon

Labels
area:BYOB An issue with the BYOB framework type:feature New feature or request
Projects
None yet
Milestone
BYOB framework pre-release
4 participants
@ianlewis @asraa @haydentherapper @laurentsimon