feat: Update nodejs builder to use BYOB (#1667)

Updates the nodejs builder to use BYOB.

Publishing to npmjs.com will be done on a separate PR.

---------

Signed-off-by: Ian Lewis <ianlewis@google.com>

.github/workflows/delegator_generic_slsa3.yml

@@ -161,7 +161,6 @@ jobs:
           echo "ACTION_PATH=$ACTION_PATH"
           tree
 
-
       - name: Checkout the project repository
         uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
 

internal/builders/nodejs/README.md

@@ -0,0 +1 @@
+# Generation of SLSA3+ provenance for npm packages

internal/nodejs-action/action.yml

@@ -0,0 +1,77 @@
+name: SLSA3 Builder internal wrapper
+description: SLSA3 Builder internal wrapper
+
+inputs:
+  slsa-workflow-inputs:
+    description: "All the inputs formatted as a JSON map"
+    type: string
+    required: true
+
+  slsa-layout-file:
+    description: "Location to store the layout content"
+    type: string
+    required: true
+
+  slsa-workflow-secret1:
+    description: "secret1 is unused"
+    type: string
+    required: false
+
+  slsa-workflow-secret2:
+    description: "secret2 is unused"
+    type: string
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    # NOTE: the repository is already cloned by the caller, so there's no need to
+    # checkout ourselves.
+
+    - name: Setup Node
+      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      with:
+        always-auth: ${{ fromJson(inputs.slsa-workflow-inputs).always-auth }}
+        node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }}
+        node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }}
+        registry-url: ${{ fromJson(inputs.slsa-workflow-inputs).registry-url }}
+        scope: ${{ fromJson(inputs.slsa-workflow-inputs).scope }}
+        # TODO(#1679): cache dependencies.
+        # cache: npm
+        # NOTE: cache-dependency-path needs to be validated to be a subdirectory of GITHUB_WORKSPACE.
+        # cache-dependency-path:
+
+    # NOTE: the default npm lists incorrect filenames in the output of 'npm pack --json'. This is fixed in later versions.
+    - id: update-npm
+      shell: bash
+      run: |
+        npm install -g npm@9.5.0
+
+    - id: build
+      env:
+        UNTRUSTED_DIRECTORY: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
+        UNTRUSTED_RUN_SCRIPTS: ${{ fromJson(inputs.slsa-workflow-inputs).run-scripts }}
+      shell: bash
+      run: |
+        ./../__TOOL_ACTION_DIR__/build.sh
+
+    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      with:
+        name: package.tgz
+        path: ${{ steps.build.outputs.filename }}
+        if-no-files-found: error
+        retention-days: 5
+
+    # NOTE: Here we create a JSON file that describes the attestations we want
+    #       to create. Each attestation will be created as a separate file,
+    #       each with the subjects specified. This allows complicated release
+    #       pipelines that output many artifacts to organize the attestations
+    #       for those artifacts in a flexible way.
+    - name: Generate layout file
+      id: generate-layout
+      env:
+        SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
+        PACK_JSON: ${{ steps.build.outputs.pack_json }}
+      shell: bash
+      run: |
+        ./../__TOOL_ACTION_DIR__/generate-layout.sh