Skip to content

Commit

Permalink
feat: Make possible to provide image as a secret (#2918)
Browse files Browse the repository at this point in the history 
Add option to provide image as a secret for private registries.

Fixes #2917

---------

Signed-off-by: Danil Grigorev <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Co-authored-by: Ian Lewis <[email protected]>
  • Loading branch information
@Danil-Grigorev
Danil-Grigorev and Ian Lewis authored Oct 27, 2023
1 parent 10ddc67 commit f5b488d
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 10 deletions.
9 changes: 6 additions & 3 deletions .github/workflows/generator_container_slsa3.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,11 @@ on:
description: "Username to log into the container registry."
registry-password:
description: "Password to log in the container registry."
image:
description: "The OCI image name. This must not include a tag or digest."
inputs:
image:
description: "The OCI image name. This must not include a tag or digest."
required: true
type: string
digest:
description: "The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...')"
Expand Down Expand Up @@ -157,6 +158,7 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}"
UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}"
UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
Expand All @@ -170,7 +172,7 @@ jobs:
# See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
untrusted_registry="docker.io"
# NOTE: Do not fail the script if grep does not match.
maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
if [ "${maybe_domain}" != "" ]; then
untrusted_registry="${maybe_domain}"
fi
Expand Down Expand Up @@ -199,6 +201,7 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_DIGEST: "${{ inputs.digest }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
run: |
Expand All @@ -211,7 +214,7 @@ jobs:
COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
--yes \
"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
"${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}"
- name: Final outcome
id: final
Expand Down
16 changes: 14 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

<!-- toc -->

- [Unreleased](#unreleased)
- [Changes](#changes)
- [Container generator](#container-generator)
- [v1.9.0](#v190)
- [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta)
- [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta)
Expand All @@ -25,15 +28,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- [New Features](#new-features)
- [Generic generator](#generic-generator)
- [New Features](#new-features-1)
- [Container generator](#container-generator)
- [Container generator](#container-generator-1)
- [Changelog since v1.5.0](#changelog-since-v150)
- [v1.5.0](#v150)
- [Summary of changes](#summary-of-changes-1)
- [Go builder](#go-builder-1)
- [New Features](#new-features-2)
- [Generic generator](#generic-generator-1)
- [New Features](#new-features-3)
- [Container generator](#container-generator-1)
- [Container generator](#container-generator-2)
- [New Features](#new-features-4)
- [Changelog since v1.4.0](#changelog-since-v140)
- [v1.4.0](#v140)
Expand Down Expand Up @@ -92,6 +95,15 @@ Information on the next release will be added here.
Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name
duplication."
-->
## Unreleased

This section includes upcoming changes which are not included in the latest release.

### Changes

#### Container generator

- **Added**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917))

## v1.9.0

Expand Down
11 changes: 6 additions & 5 deletions internal/builders/container/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,8 +204,8 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator
Inputs:

| Name | Description |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `image` | **(Required)** The OCI image name. This must not include a tag or digest. |
|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. |
| `digest` | **(Required)** The OCI image digest. The image digest of the form '<algorithm>:<digest>' (e.g. 'sha256:abcdef...') |
| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. |
| `compile-generator` | Whether to build the generator from source. This increases build time by ~2m.<br>Default: `false`. |
Expand All @@ -217,7 +217,8 @@ Inputs:
Secrets:

| Name | Description |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. Should be used in scenarios when the image name contains secret values, and therefore can't be provided directly. Use case - an undisclosed private registry use. |
| `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. This should only be used for high entropy values such as AWS Access Key as described [here](https://github.com/docker/login-action#aws-elastic-container-registry-ecr). Normal username values could match other input values and cause them to be ignored by GitHub Actions and causing your build to fail. In those cases, use the `registry-username` input instead. |
| `registry-password` | **(Required)** Password to log in the container registry. |

Expand All @@ -226,15 +227,15 @@ Secrets:
The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following outputs:

| Name | Description |
| --------- | ----------------------------------------------------------------------------------------------- |
|-----------|-------------------------------------------------------------------------------------------------|
| `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). |

### Provenance Format

The project generates SLSA provenance with the following values.

| Name | Value | Description |
| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `buildType` | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build. |
| `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |

Expand Down

0 comments on commit f5b488d

Please sign in to comment.