From 56c554a2ebf989d8a6b5c321f47bccbfe8ed7deb Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 16 Jan 2024 13:20:33 -0800 Subject: [PATCH] revert: "feat: Make possible to provide image as a secret" (#2954) Reverts slsa-framework/slsa-github-generator#2918 Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .github/workflows/generator_container_slsa3.yml | 7 +++---- CHANGELOG.md | 16 ++-------------- internal/builders/container/README.md | 8 ++++---- 3 files changed, 9 insertions(+), 22 deletions(-) diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index e6548f3091..fc6641b14e 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -45,6 +45,7 @@ on: inputs: image: description: "The OCI image name. This must not include a tag or digest." + required: true type: string digest: description: "The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...')" @@ -176,7 +177,6 @@ jobs: continue-on-error: true env: UNTRUSTED_IMAGE: "${{ inputs.image }}" - UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}" UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}" UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}" UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}" @@ -190,7 +190,7 @@ jobs: # See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949 untrusted_registry="docker.io" # NOTE: Do not fail the script if grep does not match. - maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; }) + maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; }) if [ "${maybe_domain}" != "" ]; then untrusted_registry="${maybe_domain}" fi @@ -264,7 +264,6 @@ jobs: continue-on-error: true env: UNTRUSTED_IMAGE: "${{ inputs.image }}" - UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}" UNTRUSTED_DIGEST: "${{ inputs.digest }}" GITHUB_CONTEXT: "${{ toJSON(github) }}" UNTRUSTED_PROVENANCE_REGISTRY: "${{ inputs.provenance-registry }}" @@ -283,7 +282,7 @@ jobs: cosign attest --predicate="$predicate_name" \ --type slsaprovenance \ --yes \ - "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}" + "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}" - name: Final outcome id: final diff --git a/CHANGELOG.md b/CHANGELOG.md index 2adb23321d..8fe9fe47fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,9 +9,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 -- [Unreleased](#unreleased) - - [Changes](#changes) - - [Container generator](#container-generator) - [v1.9.0](#v190) - [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta) - [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta) @@ -28,7 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [New Features](#new-features) - [Generic generator](#generic-generator) - [New Features](#new-features-1) - - [Container generator](#container-generator-1) + - [Container generator](#container-generator) - [Changelog since v1.5.0](#changelog-since-v150) - [v1.5.0](#v150) - [Summary of changes](#summary-of-changes-1) @@ -36,7 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [New Features](#new-features-2) - [Generic generator](#generic-generator-1) - [New Features](#new-features-3) - - [Container generator](#container-generator-2) + - [Container generator](#container-generator-1) - [New Features](#new-features-4) - [Changelog since v1.4.0](#changelog-since-v140) - [v1.4.0](#v140) @@ -95,15 +92,6 @@ Information on the next release will be added here. Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name duplication." --> -## Unreleased - -This section includes upcoming changes which are not included in the latest release. - -### Changes - -#### Container generator - -- **Added**: Passing an image name to the `generator_container_salsa3.yml` containing secret values. (See [#2917](https://github.com/slsa-framework/slsa-github-generator/issues/2917)) ## v1.9.0 diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 61d47b4801..be173bc3ba 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -205,8 +205,8 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator Inputs: | Name | Description | -|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `image` | The OCI image name. This must not include a tag or digest. Either `image` input or `image` secret is **required**. Secret `image` value takes precedence on `image` input value. | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `image` | **(Required)** The OCI image name. This must not include a tag or digest. | | `digest` | **(Required)** The OCI image digest. The image digest of the form ':' (e.g. 'sha256:abcdef...') | | `registry-username` | Username to log in the container registry. Either `registry-username` input or `registry-username` secret is required. | | `compile-generator` | Whether to build the generator from source. This increases build time by ~2m.
Default: `false`. | @@ -232,7 +232,7 @@ Secrets: The [container workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml) accepts the following outputs: | Name | Description | -|-----------|-------------------------------------------------------------------------------------------------| +| --------- | ----------------------------------------------------------------------------------------------- | | `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). | ### Provenance Format @@ -240,7 +240,7 @@ The [container workflow](https://github.com/slsa-framework/slsa-github-generator The project generates SLSA provenance with the following values. | Name | Value | Description | -|------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `buildType` | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build. | | `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"` | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |