feat: Make possible to provide image as a secret

.github/workflows/generator_container_slsa3.yml

@@ -32,10 +32,11 @@ on:
         description: "Username to log into the container registry."
       registry-password:
         description: "Password to log in the container registry."
+      image:
+        description: "The OCI image name. This must not include a tag or digest."
     inputs:
       image:
         description: "The OCI image name. This must not include a tag or digest."
-        required: true
         type: string
       digest:
         description: "The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')"
@@ -157,6 +158,7 @@ jobs:
         continue-on-error: true
         env:
           UNTRUSTED_IMAGE: "${{ inputs.image }}"
+          UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
           UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}"
           UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}"
           UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
@@ -170,7 +172,7 @@ jobs:
           # See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
           untrusted_registry="docker.io"
           # NOTE: Do not fail the script if grep does not match.
-          maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
+          maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
           if [ "${maybe_domain}" != "" ]; then
             untrusted_registry="${maybe_domain}"
           fi
@@ -199,6 +201,7 @@ jobs:
         continue-on-error: true
         env:
           UNTRUSTED_IMAGE: "${{ inputs.image }}"
+          UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
           UNTRUSTED_DIGEST: "${{ inputs.digest }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
         run: |
@@ -211,7 +214,7 @@ jobs:
           COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
             --type slsaprovenance \
             --yes \
-            "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
+            "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}"
 
       - name: Final outcome
         id: final

CHANGELOG.md

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- toc -->
 
+- [Unreleased](#unreleased)
+  - [Changes](#changes)
+    - [Container generator](#container-generator)
 - [v1.9.0](#v190)
   - [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta)
   - [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta)
@@ -25,15 +28,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
       - [New Features](#new-features)
     - [Generic generator](#generic-generator)
       - [New Features](#new-features-1)
-    - [Container generator](#container-generator)
+    - [Container generator](#container-generator-1)
   - [Changelog since v1.5.0](#changelog-since-v150)
 - [v1.5.0](#v150)
   - [Summary of changes](#summary-of-changes-1)
     - [Go builder](#go-builder-1)
       - [New Features](#new-features-2)
     - [Generic generator](#generic-generator-1)
       - [New Features](#new-features-3)
-    - [Container generator](#container-generator-1)
+    - [Container generator](#container-generator-2)
       - [New Features](#new-features-4)
   - [Changelog since v1.4.0](#changelog-since-v140)
 - [v1.4.0](#v140)
@@ -92,6 +95,15 @@ Information on the next release will be added here.
 Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name
 duplication."
 -->
+## Unreleased
+
+This section includes upcoming changes which are not included in the latest release.
+
+### Changes
+
+#### Container generator
+
+- **Added**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917))
 
 ## v1.9.0
 

internal/builders/container/README.md

@@ -204,8 +204,8 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator
 Inputs:
 
 | Name                             | Description                                                                                                                                                                                                                                                                             |
-| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `image`                          | **(Required)** The OCI image name. This must not include a tag or digest.                                                                                                                                                                                                               |
+|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `image`                          | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value.                                                                                                        |
 | `digest`                         | **(Required)** The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')                                                                                                                                                                      |
 | `registry-username`              | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required.                                                                                                                                                                  |
 | `compile-generator`              | Whether to build the generator from source. This increases build time by ~2m.<br>Default: `false`.                                                                                                                                                                                      |
@@ -217,7 +217,8 @@ Inputs:
 Secrets:
 
 | Name                | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `image`             | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. Should be used in scenarios when the image name contains secret values, and therefore can't be provided directly. Use case - an undisclosed private registry use.                                                                                                                                             |
 | `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the `registry-username` input instead. |
 | `registry-password` | **(Required)** Password to log in the container registry.                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 
@@ -226,15 +227,15 @@ Secrets:
 The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following outputs:
 
 | Name      | Description                                                                                     |
-| --------- | ----------------------------------------------------------------------------------------------- |
+|-----------|-------------------------------------------------------------------------------------------------|
 | `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). |
 
 ### Provenance Format
 
 The project generates SLSA provenance with the following values.
 
 | Name                         | Value                                                                    | Description                                                                                                                                                                                                            |
-| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `buildType`                  | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build.                                                                                                                                                                                 |
 | `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"`                                               | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |