Skip to content

Commit

Permalink
revert: "feat: Make possible to provide image as a secret" (#2954)
Browse files Browse the repository at this point in the history
Reverts #2918

Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
  • Loading branch information
laurentsimon authored Jan 16, 2024
1 parent b54dfc3 commit 56c554a
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 22 deletions.
7 changes: 3 additions & 4 deletions .github/workflows/generator_container_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ on:
inputs:
image:
description: "The OCI image name. This must not include a tag or digest."
required: true
type: string
digest:
description: "The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')"
Expand Down Expand Up @@ -176,7 +177,6 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}"
UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}"
UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
Expand All @@ -190,7 +190,7 @@ jobs:
# See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
untrusted_registry="docker.io"
# NOTE: Do not fail the script if grep does not match.
maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
if [ "${maybe_domain}" != "" ]; then
untrusted_registry="${maybe_domain}"
fi
Expand Down Expand Up @@ -264,7 +264,6 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_DIGEST: "${{ inputs.digest }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
UNTRUSTED_PROVENANCE_REGISTRY: "${{ inputs.provenance-registry }}"
Expand All @@ -283,7 +282,7 @@ jobs:
cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
--yes \
"${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}"
"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
- name: Final outcome
id: final
Expand Down
16 changes: 2 additions & 14 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

<!-- toc -->

- [Unreleased](#unreleased)
- [Changes](#changes)
- [Container generator](#container-generator)
- [v1.9.0](#v190)
- [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta)
- [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta)
Expand All @@ -28,15 +25,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- [New Features](#new-features)
- [Generic generator](#generic-generator)
- [New Features](#new-features-1)
- [Container generator](#container-generator-1)
- [Container generator](#container-generator)
- [Changelog since v1.5.0](#changelog-since-v150)
- [v1.5.0](#v150)
- [Summary of changes](#summary-of-changes-1)
- [Go builder](#go-builder-1)
- [New Features](#new-features-2)
- [Generic generator](#generic-generator-1)
- [New Features](#new-features-3)
- [Container generator](#container-generator-2)
- [Container generator](#container-generator-1)
- [New Features](#new-features-4)
- [Changelog since v1.4.0](#changelog-since-v140)
- [v1.4.0](#v140)
Expand Down Expand Up @@ -95,15 +92,6 @@ Information on the next release will be added here.
Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name
duplication."
-->
## Unreleased

This section includes upcoming changes which are not included in the latest release.

### Changes

#### Container generator

- **Added**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917))

## v1.9.0

Expand Down
8 changes: 4 additions & 4 deletions internal/builders/container/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -205,8 +205,8 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator
Inputs:

| Name | Description |
|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `image` | **(Required)** The OCI image name. This must not include a tag or digest. |
| `digest` | **(Required)** The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...') |
| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. |
| `compile-generator` | Whether to build the generator from source. This increases build time by ~2m.<br>Default: `false`. |
Expand All @@ -232,15 +232,15 @@ Secrets:
The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following outputs:

| Name | Description |
|-----------|-------------------------------------------------------------------------------------------------|
| --------- | ----------------------------------------------------------------------------------------------- |
| `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). |

### Provenance Format

The project generates SLSA provenance with the following values.

| Name | Value | Description |
|------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `buildType` | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build. |
| `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |

Expand Down

0 comments on commit 56c554a

Please sign in to comment.