├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── actions │ ├── README.md │ ├── compute-sha256 │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── README.md │ │ ├── action.yml │ │ ├── dist │ │ │ ├── index.js │ │ │ ├── index.js.map │ │ │ └── sourcemap-register.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ │ └── main.ts │ │ └── tsconfig.json │ ├── create-container_based-predicate │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── README.md │ │ ├── __tests__ │ │ │ └── predicate.test.ts │ │ ├── action.yml │ │ ├── dist │ │ │ ├── index.js │ │ │ ├── index.js.map │ │ │ └── sourcemap-register.js │ │ ├── jest.config.js │ │ ├── jest.setup.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ │ ├── github.ts │ │ │ ├── main.ts │ │ │ ├── predicate.ts │ │ │ └── utils.ts │ │ ├── testdata │ │ │ └── build_definition.json │ │ └── tsconfig.json │ ├── detect-workflow-js │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── README.md │ │ ├── __tests__ │ │ │ └── main.test.ts │ │ ├── action.yml │ │ ├── dist │ │ │ ├── index.js │ │ │ ├── index.js.map │ │ │ └── sourcemap-register.js │ │ ├── jest.config.js │ │ ├── jest.setup.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ │ ├── detect.ts │ │ │ └── main.ts │ │ └── tsconfig.json │ ├── generate-attestations │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── __tests__ │ │ │ └── attestation.test.ts │ │ ├── action.yml │ │ ├── dist │ │ │ ├── index.js │ │ │ ├── index.js.map │ │ │ └── sourcemap-register.js │ │ ├── jest.config.js │ │ ├── jest.setup.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ │ ├── attestation.ts │ │ │ ├── intoto.ts │ │ │ └── main.ts │ │ ├── testdata │ │ │ ├── layouts │ │ │ │ └── valid-layout.json │ │ │ └── predicates │ │ │ │ └── valid-slsa-v02.json │ │ └── tsconfig.json │ ├── generate-builder │ │ ├── action.yml │ │ ├── builder-fetch.sh │ │ └── generate-builder.sh │ ├── privacy-check │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── README.md │ │ ├── action.yml │ │ ├── dist │ │ │ ├── index.js │ │ │ ├── index.js.map │ │ │ └── sourcemap-register.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ │ └── main.ts │ │ └── tsconfig.json │ ├── rng │ │ └── action.yml │ ├── secure-builder-checkout │ │ └── action.yaml │ ├── secure-download-artifact │ │ └── action.yml │ ├── secure-download-folder │ │ └── action.yml │ ├── secure-project-checkout-go │ │ └── action.yml │ ├── secure-project-checkout-node │ │ └── action.yml │ ├── secure-project-checkout │ │ └── action.yaml │ ├── secure-upload-artifact │ │ └── action.yml │ ├── secure-upload-folder │ │ └── action.yml │ ├── sign-attestations │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── action.yml │ │ ├── dist │ │ │ ├── index.js │ │ │ ├── index.js.map │ │ │ └── sourcemap-register.js │ │ ├── jest.config.js │ │ ├── jest.setup.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ │ └── main.ts │ │ ├── testdata │ │ │ └── attestations │ │ │ │ ├── attestation1.intoto │ │ │ │ └── attestation2.intoto │ │ └── tsconfig.json │ ├── tscommon │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── README.md │ │ ├── __tests__ │ │ │ └── file.test.ts │ │ ├── jest.config.js │ │ ├── jest.setup.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ │ ├── file.ts │ │ │ └── index.ts │ │ ├── tscommon-0.0.0.tgz │ │ └── tsconfig.json │ └── verify-token │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── __tests__ │ │ ├── inputs.test.ts │ │ ├── utils.test.ts │ │ └── validate.test.ts │ │ ├── action.yml │ │ ├── dist │ │ ├── index.js │ │ ├── index.js.map │ │ └── sourcemap-register.js │ │ ├── jest.config.js │ │ ├── jest.setup.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ ├── index.ts │ │ ├── inputs.ts │ │ ├── predicate02.ts │ │ ├── predicate1.ts │ │ ├── slsatypes02.ts │ │ ├── slsatypes1.ts │ │ ├── types.ts │ │ ├── utils.ts │ │ └── validate.ts │ │ ├── testdata │ │ └── slsa-token │ │ └── tsconfig.json ├── pr-title-checker-config.json ├── pull_request_template.md └── workflows │ ├── builder_bazel_slsa3.yml │ ├── builder_container-based_slsa3.yml │ ├── builder_go_slsa3.yml │ ├── builder_gradle_slsa3.yml │ ├── builder_maven_slsa3.yml │ ├── builder_nodejs_slsa3.yml │ ├── codeql-analysis.yml │ ├── configs-container │ └── config-release.yml │ ├── configs-docker │ └── config-release.yml │ ├── configs-generic │ └── config-release.yml │ ├── configs-go │ ├── config-ldflags-main-dir.yml │ └── config-release.yml │ ├── delegator_generic_slsa3.yml │ ├── delegator_lowperms-generic_slsa3.yml │ ├── e2e.create-container_based-predicate.schedule.yml │ ├── e2e.detect-workflow-js.schedule.yml │ ├── e2e.sign-attestations.schedule.yml │ ├── e2e.upload-folder.schedule.yml │ ├── generator_container_slsa3.yml │ ├── generator_generic_slsa3.yml │ ├── pre-submit.actions.yml │ ├── pre-submit.apis.yml │ ├── pre-submit.delegators.yml │ ├── pre-submit.e2e.container-based.default.yml │ ├── pre-submit.e2e.generic.default.yml │ ├── pre-submit.e2e.go.config-ldflags-main-dir.yml │ ├── pre-submit.e2e.maven.yml │ ├── pre-submit.lint.yml │ ├── pre-submit.pr-title.yml │ ├── pre-submit.units.yml │ ├── release.yml │ ├── schedule.issue-reopener.yml │ ├── scorecards.yml │ ├── scripts │ ├── assert.sh │ ├── e2e-assert.sh │ ├── e2e-utils.sh │ ├── e2e-verify.common.sh │ ├── pre-release │ │ └── references.sh │ ├── pre-submit.actions │ │ ├── checkout.sh │ │ ├── references.sh │ │ └── secure-upload-folder.sh │ ├── pre-submit.apis │ │ └── verify-safefs.sh │ ├── pre-submit.delegators │ │ ├── compare-diff.sh │ │ └── expected.diff │ ├── pre-submit.e2e.container-based.default.sh │ ├── pre-submit.e2e.generic.default.sh │ ├── pre-submit.e2e.go.default.sh │ ├── pre-submit.markdown │ │ └── markdown-toc.sh │ └── schedule.actions │ │ └── verify-container_based-predicate.sh │ └── update-actions-dist-post-commit.yml ├── .gitignore ├── .golangci.yml ├── .markdownlint.yaml ├── .markdownlintignore ├── .yamllint.yaml ├── BYOB.md ├── CHANGELOG.md ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── PROVENANCE_FORMAT.md ├── README.md ├── RELEASE.md ├── RENOVATE.md ├── SECURITY.md ├── SPECIFICATIONS.md ├── actions ├── delegator │ ├── random │ │ └── action.yml │ ├── secure-attestations-download │ │ └── action.yml │ ├── secure-download-folder │ │ └── action.yml │ ├── secure-upload-folder │ │ └── action.yml │ └── setup-generic │ │ ├── .eslintignore │ │ ├── .eslintrc.json │ │ ├── .gitignore │ │ ├── .prettierignore │ │ ├── Makefile │ │ ├── README.md │ │ ├── action.yml │ │ ├── dist │ │ ├── index.js │ │ ├── index.js.map │ │ └── sourcemap-register.js │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── src │ │ └── main.ts │ │ └── tsconfig.json ├── generator │ └── generic │ │ └── create-base64-subjects-from-file │ │ └── action.yml ├── gradle │ ├── publish │ │ ├── README.md │ │ ├── action.yml │ │ └── images │ │ │ ├── gradle-publisher-release-closed-repository.png │ │ │ └── gradle-publisher-staging-repository.png │ ├── secure-download-attestations │ │ └── action.yml │ └── secure-download-target │ │ └── action.yml ├── maven │ ├── publish │ │ ├── README.md │ │ ├── action.yml │ │ └── slsa-hashing-plugin │ │ │ ├── pom.xml │ │ │ └── src │ │ │ └── main │ │ │ └── java │ │ │ └── io │ │ │ └── github │ │ │ └── slsa-framework │ │ │ └── JarfileHashMojo.java │ ├── secure-download-attestations │ │ └── action.yml │ └── secure-download-target │ │ └── action.yml └── nodejs │ ├── publish │ ├── README.md │ └── action.yml │ ├── secure-attestations-download │ ├── README.md │ └── action.yml │ └── secure-package-download │ ├── README.md │ └── action.yml ├── e2e ├── README.md └── maven │ └── workflow_dispatch │ ├── pom.xml │ └── src │ └── main │ └── java │ └── hello │ ├── Greeter.java │ └── HelloWorld.java ├── github ├── client.go ├── oidc.go ├── oidc_test.go ├── oidctest.go ├── set_output.go └── workflow.go ├── go.mod ├── go.sum ├── images ├── byob-design.png └── cert.svg ├── internal ├── builders │ ├── bazel │ │ ├── README.md │ │ ├── action.yml │ │ ├── build.sh │ │ └── generate-layout.sh │ ├── common │ │ └── buildtype.go │ ├── container │ │ ├── README.md │ │ ├── generate.go │ │ ├── generate_test.go │ │ ├── main.go │ │ └── version.go │ ├── docker │ │ ├── README.md │ │ ├── commands.go │ │ ├── main.go │ │ ├── pkg │ │ │ ├── builder.go │ │ │ ├── builder_test.go │ │ │ ├── common.go │ │ │ ├── common_test.go │ │ │ ├── config.go │ │ │ ├── config_test.go │ │ │ └── options.go │ │ └── testdata │ │ │ ├── build-definition.json │ │ │ ├── config.toml │ │ │ ├── slsa1-provenance.json │ │ │ └── wildcard-config.toml │ ├── generic │ │ ├── README.md │ │ ├── attest.go │ │ ├── attest_test.go │ │ ├── generic.go │ │ ├── main.go │ │ └── version.go │ ├── go │ │ ├── README.md │ │ ├── e2e-presubmits │ │ │ ├── go.mod │ │ │ ├── go.sum │ │ │ └── main.go │ │ ├── main.go │ │ ├── main_test.go │ │ ├── pkg │ │ │ ├── build.go │ │ │ ├── build_test.go │ │ │ ├── config.go │ │ │ ├── config_test.go │ │ │ ├── provenance.go │ │ │ ├── provenance_test.go │ │ │ └── testdata │ │ │ │ ├── go │ │ │ │ ├── go.mod │ │ │ │ └── main.go │ │ │ │ ├── push_payload_notag.json │ │ │ │ ├── push_payload_tag.json │ │ │ │ ├── release-invalid-dir.yml │ │ │ │ ├── releaser-invalid-envs.yml │ │ │ │ ├── releaser-invalid-main.yml │ │ │ │ ├── releaser-invalid-version.yml │ │ │ │ ├── releaser-noversion.yml │ │ │ │ ├── releaser-valid-dir.yml │ │ │ │ ├── releaser-valid-empty-main.yml │ │ │ │ ├── releaser-valid-envs-multiple-equal-signs.yml │ │ │ │ ├── releaser-valid-envs-no-value.yml │ │ │ │ ├── releaser-valid-main.yml │ │ │ │ ├── releaser-valid-no-main.yml │ │ │ │ └── workflow_dispatch_payload.json │ │ └── testdata │ │ │ ├── binary-linux-amd64 │ │ │ ├── binary-linux-amd64.intoto.jsonl │ │ │ ├── emptyldflags.yml │ │ │ ├── invalid-main.yml │ │ │ ├── one-ldflags.yml │ │ │ ├── two-ldflags-emptyenv.yml │ │ │ ├── two-ldflags-emptyflags.yml │ │ │ ├── two-ldflags-noenv.yml │ │ │ ├── two-ldflags-noflags.yml │ │ │ ├── two-ldflags-noldflags.yml │ │ │ ├── two-ldflags.yml │ │ │ ├── valid-main.yml │ │ │ └── valid-working-dir.yml │ ├── gradle │ │ ├── README.md │ │ ├── action.yml │ │ ├── collect_release_artifacts.sh │ │ └── create_attestation.sh │ ├── maven │ │ ├── README.md │ │ └── action.yml │ └── nodejs │ │ ├── README.md │ │ ├── action.yml │ │ ├── build.sh │ │ └── generate-layout.sh ├── runner │ ├── runner.go │ └── runner_test.go ├── testutil │ └── signing.go └── utils │ ├── marshal.go │ ├── marshal_test.go │ ├── path.go │ ├── path_test.go │ └── presubmits.go ├── package-lock.json ├── package.json ├── renovate.json ├── requirements.txt ├── signing ├── envelope │ ├── envelope.go │ └── envelope_test.go ├── signer.go └── sigstore │ ├── bundle.go │ ├── fulcio.go │ └── rekor.go ├── slsa ├── buildtype.go ├── clientprovider.go ├── provenance.go └── provenance_test.go ├── third_party └── autogen │ ├── LICENSE.txt │ ├── README.md │ ├── autogen.sh │ └── licenses │ ├── BUILD │ ├── apache-2.0.txt │ ├── bsd-2-clause.txt │ ├── bsd-3-clause.txt │ ├── bsd-4-clause.txt │ ├── gpl-2.txt │ ├── gpl-3.txt │ ├── lgpl-2.1.txt │ ├── mit.txt │ └── mpl-2.0.txt └── version └── version.go /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: "[bug]" 5 | labels: type:bug, status:triage 6 | assignees: "" 7 | --- 8 | 9 | **Describe the bug** 10 | A clear and concise description of what the bug is. 11 | 12 | **To Reproduce** 13 | Steps to reproduce the behavior: 14 | 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Additional context** 27 | Add any other context about the problem here. 28 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea 4 | title: "[feature]" 5 | labels: type:feature, status:triage 6 | assignees: "" 7 | --- 8 | 9 | **Is your feature request related to a problem? Please describe.** 10 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 11 | 12 | **Describe the solution you'd like** 13 | A clear and concise description of what you want to happen. 14 | 15 | **Describe alternatives you've considered** 16 | A clear and concise description of any alternative solutions or features you've considered. 17 | 18 | **Additional context** 19 | Add any other context or screenshots about the feature request here. 20 | -------------------------------------------------------------------------------- /.github/actions/README.md: -------------------------------------------------------------------------------- 1 | # Internal Action Development 2 | 3 | ## External Actions 4 | 5 | The following Actions: 6 | 7 | - detect-workflow 8 | - privacy-check 9 | - rng 10 | - secure-builder-checkout 11 | - generate-builder 12 | 13 | are considered "external" even though they are hosted on the same repository: they are not called via: 14 | 15 | `././github/actions/name` 16 | 17 | but instead via their "fully-qualified" name: 18 | 19 | `slsa-framework/slsa-github-generator/.github/actions/name@vX.Y.Z`. 20 | 21 | We do this because the Actions are part of the builder, whereas the workflow runs in the "context" of the calling repository. 22 | 23 | These Action _MUST_ be pinned with the release tag for consistency. 24 | 25 | ## Internal Actions 26 | 27 | Other Actions are called via: 28 | 29 | `././github/actions/name` 30 | 31 | and always require a checkout of the builder repository before being called. 32 | The `secure-builder-checkout` is always used to checkout the builder repository 33 | at `__BUILDER_CHECKOUT_DIR__` location. The `secure-project-checkout-*` checkout 34 | the project to build at the location `__PROJECT_CHECKOUT_DIR__`. 35 | 36 | These Actions are _composite actions_. They invoke scripts and also call other Actions. 37 | 38 | ## Development 39 | 40 | To create or update an internal Action, reference them at `@main`. For a release, reference them at the release tag. 41 | 42 | 1. Create / modify the Action under `./github/actions/` and get the changes merged. Let's call the resulting 43 | commit hash after merge `CH`. (Note: This won't affect any workflow's behavior since 44 | the existing code will still be calling the Action at an older commit hash). 45 | 46 | 2. Update the re-usable workflow / Actions to use them in a follow-up PR: 47 | 48 | ```yaml 49 | uses: slsa-framework/slsa-github-generator/.github/actions/@ 50 | ``` 51 | 52 | You can update using the following command: 53 | 54 | ```shell 55 | find .github/ -name '*.yaml' -o -name '*.yml' | xargs sed -i 's/uses: slsa-framework\/slsa-github-generator\/\.github\/actions\/\(.*\)@[a-f0-9]*/uses: slsa-framework\/slsa-github-generator\/.github\/actions\/\1@_YOUR_CH__/' 56 | ``` 57 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* -------------------------------------------------------------------------------- /.github/actions/compute-sha256/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: lint 61 | lint: node_modules/.installed ## Runs eslint. 62 | npm run lint 63 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/README.md: -------------------------------------------------------------------------------- 1 | # Compute SHA256 2 | 3 | ## How to build this action in development 4 | 5 | - Install node 6 | - Install typescript 7 | - `npm ci` 8 | - `npm run all` 9 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "SHA256 of a file" 16 | description: "Compute the SHA256 of a file" 17 | inputs: 18 | path: 19 | description: "Path to a file." 20 | required: true 21 | outputs: 22 | sha256: 23 | description: "The SHA256 of the file." 24 | value: "${{ steps.compute.outputs.sha256 }}" 25 | 26 | runs: 27 | using: "node20" 28 | main: "dist/index.js" 29 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "compute-sha256", 3 | "version": "0.0.1", 4 | "private": true, 5 | "description": "Compute a sha256 of a file.", 6 | "main": "lib/main.js", 7 | "scripts": { 8 | "build": "tsc", 9 | "format": "prettier --write '**/*.ts'", 10 | "format-check": "prettier --check '**/*.ts'", 11 | "package": "ncc build --external encoding --source-map", 12 | "lint": "eslint --max-warnings 0 src/**/*.ts", 13 | "all": "npm run format && npm run lint && npm run build && npm run package" 14 | }, 15 | "keywords": [ 16 | "actions", 17 | "node", 18 | "setup" 19 | ], 20 | "dependencies": { 21 | "@actions/core": "1.11.1", 22 | "tscommon": "file:../tscommon/tscommon-0.0.0.tgz" 23 | }, 24 | "devDependencies": { 25 | "@types/node": "20.17.19", 26 | "@typescript-eslint/eslint-plugin": "6.21.0", 27 | "@typescript-eslint/parser": "6.21.0", 28 | "@vercel/ncc": "0.38.3", 29 | "eslint": "8.57.1", 30 | "eslint-plugin-github": "4.10.2", 31 | "eslint-plugin-prettier": "5.2.3", 32 | "prettier": "3.5.1", 33 | "typescript": "5.7.3" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/src/main.ts: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | import * as core from "@actions/core"; 16 | import * as tscommon from "tscommon"; 17 | 18 | function run(): void { 19 | // Get the path to the untrusted file from ENV variable 'UNTRUSTED_PATH' 20 | const untrustedPath = core.getInput("path"); 21 | core.info(`Computing sha256 of ${untrustedPath}`); 22 | const sha = tscommon.safeFileSha256(untrustedPath); 23 | core.info(`Computed sha256 of ${untrustedPath} as ${sha}`); 24 | core.setOutput("sha256", sha); 25 | } 26 | run(); 27 | -------------------------------------------------------------------------------- /.github/actions/compute-sha256/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./lib", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "**/*.test.ts"] 12 | } 13 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: unit-test 61 | unit-test: node_modules/.installed ## Runs all unit tests. 62 | # NOTE: Make sure the package builds. 63 | npm run build 64 | npm run test 65 | 66 | .PHONY: lint 67 | lint: node_modules/.installed ## Runs eslint. 68 | npm run lint 69 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/README.md: -------------------------------------------------------------------------------- 1 | # Container-based predicate creation 2 | 3 | Creates a container-based SLSA predicate given a BuildDefinition. 4 | 5 | ## How to build this action in development 6 | 7 | - Install node 8 | - Install typescript 9 | - `npm ci` 10 | - `npm run all` 11 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Create container-based SLSA predicate" 16 | description: "Creates a container-based SLSA predicate given a BuildDefinition." 17 | inputs: 18 | build-definition: 19 | description: "A JSON file describing the SLSA BuildDefinition" 20 | required: true 21 | output-file: 22 | description: "Output file to place predicate" 23 | required: true 24 | binary-sha256: 25 | description: "Builder binary digest to place in resolvedDependencies" 26 | required: true 27 | binary-uri: 28 | description: "Builder binary source location to place in resolvedDependencies" 29 | required: true 30 | builder-id: 31 | description: "Trusted builder identity" 32 | required: true 33 | token: 34 | description: "The GitHub Actions token." 35 | required: false 36 | default: ${{ github.token }} 37 | 38 | runs: 39 | using: "node20" 40 | main: "dist/index.js" 41 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/jest.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('ts-jest').JestConfigWithTsJest} */ 2 | module.exports = { 3 | preset: 'ts-jest', 4 | testEnvironment: 'node', 5 | }; -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/jest.setup.js: -------------------------------------------------------------------------------- 1 | console.error = jest.fn(); 2 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "create-docker_based-predicate", 3 | "version": "0.0.0", 4 | "private": true, 5 | "description": "GitHub action to create a SLSA predicate given a build definition.", 6 | "main": "lib/main.js", 7 | "scripts": { 8 | "build": "tsc", 9 | "format": "prettier --write '**/*.ts'", 10 | "format-check": "prettier --check '**/*.ts'", 11 | "package": "ncc build --external encoding --source-map", 12 | "lint": "eslint --max-warnings 0 src/**/*.ts", 13 | "test": "jest", 14 | "all": "npm run format && npm run lint && npm run build && npm run package" 15 | }, 16 | "keywords": [ 17 | "actions", 18 | "node", 19 | "setup" 20 | ], 21 | "devDependencies": { 22 | "@types/jest": "29.5.14", 23 | "@types/make-fetch-happen": "10.0.4", 24 | "@types/node": "20.17.19", 25 | "@typescript-eslint/eslint-plugin": "6.21.0", 26 | "@typescript-eslint/parser": "6.21.0", 27 | "@vercel/ncc": "0.38.3", 28 | "eslint": "8.57.1", 29 | "eslint-plugin-github": "4.10.2", 30 | "eslint-plugin-prettier": "5.2.3", 31 | "jest": "29.7.0", 32 | "prettier": "3.5.1", 33 | "ts-jest": "29.2.5", 34 | "typescript": "5.7.3" 35 | }, 36 | "dependencies": { 37 | "@actions/core": "1.11.1", 38 | "@actions/github": "6.0.0", 39 | "tscommon": "file:../tscommon/tscommon-0.0.0.tgz" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/src/utils.ts: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | import * as process from "process"; 16 | 17 | export function getEnv(name: string): string { 18 | const res = process.env[name]; 19 | if (!res) { 20 | throw new Error(`missing env: ${name}`); 21 | } 22 | return String(res); 23 | } 24 | -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/testdata/build_definition.json: -------------------------------------------------------------------------------- 1 | { 2 | "buildType": "https://slsa.dev/container-based-build/v0.1?draft", 3 | "externalParamaters": { 4 | "source": { 5 | "uri": "git+https://github.com/asraa/slsa-github-generator", 6 | "digest": { 7 | "sha1": "97f1bfd54b02d1c7b632da907676a7d30d2efc02" 8 | } 9 | }, 10 | "builderImage": { 11 | "uri": "bash@sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9", 12 | "digest": { 13 | "sha256": "9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9" 14 | } 15 | }, 16 | "configPath": "internal/builders/docker/testdata/config.toml", 17 | "buildConfig": { 18 | "ArtifactPath": "config.toml", 19 | "Command": [ 20 | "cp", 21 | "internal/builders/docker/testdata/config.toml", 22 | "config.toml" 23 | ] 24 | } 25 | } 26 | } -------------------------------------------------------------------------------- /.github/actions/create-container_based-predicate/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./lib", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "**/*.test.ts"] 12 | } 13 | -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: unit-test 61 | unit-test: node_modules/.installed ## Runs all unit tests. 62 | # NOTE: Make sure the package builds. 63 | npm run build 64 | npm run test 65 | 66 | .PHONY: lint 67 | lint: node_modules/.installed ## Runs eslint. 68 | npm run lint 69 | -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Detect Workflow" 16 | description: "GitHub action to detect the referenced reusable workflow." 17 | inputs: 18 | token: 19 | description: "The GitHub Actions token." 20 | required: false 21 | default: ${{ github.token }} 22 | outputs: 23 | repository: 24 | description: The current workflow repository, format org/repository 25 | ref: 26 | description: The current workflow reference 27 | workflow: 28 | description: The path to the workflow relative to the repository, for example ".github/workflows/example.yml" 29 | 30 | runs: 31 | using: "node20" 32 | main: "dist/index.js" 33 | -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/jest.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('ts-jest').JestConfigWithTsJest} */ 2 | module.exports = { 3 | preset: 'ts-jest', 4 | testEnvironment: 'node', 5 | }; -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/jest.setup.js: -------------------------------------------------------------------------------- 1 | console.error = jest.fn(); 2 | -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "detect-workflow-js", 3 | "version": "0.0.0", 4 | "private": true, 5 | "description": "GitHub action to detect the referenced reusable workflow.", 6 | "main": "lib/main.js", 7 | "scripts": { 8 | "build": "tsc", 9 | "format": "prettier --write '**/*.ts'", 10 | "format-check": "prettier --check '**/*.ts'", 11 | "package": "ncc build --external encoding --source-map", 12 | "lint": "eslint --max-warnings 0 src/**/*.ts", 13 | "test": "jest", 14 | "all": "npm run format && npm run lint && npm run build && npm run test && npm run package" 15 | }, 16 | "keywords": [ 17 | "actions", 18 | "node", 19 | "setup" 20 | ], 21 | "devDependencies": { 22 | "@types/jest": "29.5.14", 23 | "@types/node": "20.17.19", 24 | "@typescript-eslint/eslint-plugin": "6.21.0", 25 | "@typescript-eslint/parser": "6.21.0", 26 | "@vercel/ncc": "0.38.3", 27 | "eslint": "8.57.1", 28 | "eslint-plugin-github": "4.10.2", 29 | "eslint-plugin-prettier": "5.2.3", 30 | "prettier": "3.5.1", 31 | "ts-jest": "29.2.5", 32 | "typescript": "5.7.3" 33 | }, 34 | "dependencies": { 35 | "@actions/core": "1.11.1", 36 | "@actions/github": "6.0.0" 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /.github/actions/detect-workflow-js/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./lib", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "**/*.test.ts"] 12 | } 13 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* -------------------------------------------------------------------------------- /.github/actions/generate-attestations/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: unit-test 61 | unit-test: node_modules/.installed ## Runs all unit tests. 62 | # NOTE: Make sure the package builds. 63 | npm run build 64 | npm run test 65 | 66 | .PHONY: lint 67 | lint: node_modules/.installed ## Runs eslint. 68 | npm run lint 69 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Generate Attestations" 16 | description: "Generates in-toto attestations based on a SLSA output layout and a predicate" 17 | inputs: 18 | slsa-layout-file: 19 | description: "A JSON file describing the SLSA output layout with attestation filename keys and the generated subjects (and digests)" 20 | required: true 21 | predicate-type: 22 | description: "A URI defining the type of the predicate, for e.g. https://slsa.dev/provenance/v0.2" 23 | required: true 24 | predicate-file: 25 | description: "A JSON file describing the SLSA predicate to attach to the subjects" 26 | required: true 27 | output-folder: 28 | description: "Output folder to place attestations" 29 | required: true 30 | runs: 31 | using: "node20" 32 | main: "dist/index.js" 33 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/jest.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('ts-jest').JestConfigWithTsJest} */ 2 | module.exports = { 3 | preset: 'ts-jest', 4 | testEnvironment: 'node', 5 | }; -------------------------------------------------------------------------------- /.github/actions/generate-attestations/jest.setup.js: -------------------------------------------------------------------------------- 1 | console.error = jest.fn(); 2 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "generate-attestations", 3 | "version": "0.0.1", 4 | "description": "", 5 | "main": "lib/main.js", 6 | "scripts": { 7 | "ci": "npm ci", 8 | "build": "tsc", 9 | "format": "prettier --write '**/*.ts'", 10 | "format-check": "prettier --check '**/*.ts'", 11 | "package": "ncc build --external encoding --source-map", 12 | "lint": "eslint --max-warnings 0 src/**/*.ts", 13 | "all": "npm ci && npm run format && npm run lint && npm run build && npm run test && npm run package", 14 | "test": "jest" 15 | }, 16 | "dependencies": { 17 | "@actions/core": "1.11.1", 18 | "@actions/github": "6.0.0", 19 | "tscommon": "file:../tscommon/tscommon-0.0.0.tgz" 20 | }, 21 | "keywords": [], 22 | "author": "", 23 | "license": "Apache-2.0", 24 | "devDependencies": { 25 | "@types/jest": "29.5.14", 26 | "@types/node": "20.17.19", 27 | "@typescript-eslint/eslint-plugin": "6.21.0", 28 | "@typescript-eslint/parser": "6.21.0", 29 | "@vercel/ncc": "0.38.3", 30 | "eslint": "8.57.1", 31 | "eslint-plugin-github": "4.10.2", 32 | "eslint-plugin-prettier": "5.2.3", 33 | "prettier": "3.5.1", 34 | "ts-jest": "29.2.5", 35 | "typescript": "5.7.3" 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/src/intoto.ts: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | export const INTOTO_TYPE = "https://in-toto.io/Statement/v0.1"; 16 | 17 | export type Subject = { 18 | digest: { [key: string]: string }; 19 | name: string; 20 | }; 21 | 22 | export type Attestation = { 23 | name: string; 24 | subjects: Subject[]; 25 | }; 26 | 27 | export interface IntotoStatement { 28 | _type: string; 29 | subject: Subject[]; 30 | predicateType: string; 31 | predicate: object; 32 | } 33 | 34 | export type Layout = { 35 | version: number; 36 | attestations: Attestation[]; 37 | }; 38 | -------------------------------------------------------------------------------- /.github/actions/generate-attestations/testdata/layouts/valid-layout.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": 1, 3 | "attestations": [ 4 | { 5 | "name": "attestation1.intoto", 6 | "subjects": [ 7 | { 8 | "name": "artifact11", 9 | "digest": { 10 | "sha256": "deadbeaf" 11 | } 12 | } 13 | ] 14 | }, 15 | { 16 | "name": "attestation2.intoto", 17 | "subjects": [ 18 | { 19 | "name": "artifact21", 20 | "digest": { 21 | "sha256": "deadbeat" 22 | } 23 | } 24 | ] 25 | } 26 | ] 27 | } -------------------------------------------------------------------------------- /.github/actions/generate-attestations/testdata/predicates/valid-slsa-v02.json: -------------------------------------------------------------------------------- 1 | { 2 | "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", 3 | "builder": { 4 | "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v0.0.1" 5 | } 6 | } -------------------------------------------------------------------------------- /.github/actions/generate-attestations/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./lib", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "**/*.test.ts"] 12 | } -------------------------------------------------------------------------------- /.github/actions/generate-builder/generate-builder.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | if [[ "$COMPILE_BUILDER" == true ]]; then 20 | echo "Building the builder with ref: $BUILDER_REF" 21 | 22 | cd "$BUILDER_DIR" 23 | git checkout "$BUILDER_REF" 24 | 25 | #TODO(reproducible) 26 | go mod vendor 27 | 28 | # https://go.dev/ref/mod#build-commands. 29 | go build -mod=vendor -o "$BUILDER_RELEASE_BINARY" 30 | 31 | cd - 32 | 33 | mv "$BUILDER_DIR/$BUILDER_RELEASE_BINARY" . 34 | 35 | else 36 | echo "Fetching the builder with ref: $BUILDER_REF" 37 | 38 | ./__BUILDER_CHECKOUT_DIR__/.github/actions/generate-builder/builder-fetch.sh 39 | fi 40 | 41 | chmod u+x "$BUILDER_RELEASE_BINARY" 42 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* -------------------------------------------------------------------------------- /.github/actions/privacy-check/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: lint 61 | lint: node_modules/.installed ## Runs eslint. 62 | npm run lint 63 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/README.md: -------------------------------------------------------------------------------- 1 | # Privacy Check 2 | 3 | Checks if a repository is private and fails if it is. 4 | 5 | ## How to build this action in development 6 | 7 | - Install node 8 | - Install typescript 9 | - `npm ci` 10 | - `npm run all` 11 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Privacy check" 16 | description: "Checks if a repository is private and fails if it is." 17 | inputs: 18 | token: 19 | description: "The GitHub Actions token." 20 | required: false 21 | default: ${{ github.token }} 22 | override: 23 | description: "If set to true, allows the action to complete successfully even if the repo is private." 24 | type: boolean 25 | required: false 26 | default: false 27 | error_message: 28 | description: "Override the error message." 29 | required: false 30 | default: "Repository is private." 31 | outputs: 32 | is_private: 33 | description: "True if the repository is private." 34 | 35 | runs: 36 | using: "node20" 37 | main: "dist/index.js" 38 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "privacy-check", 3 | "version": "0.0.0", 4 | "private": true, 5 | "description": "GitHub action to protect private repositories.", 6 | "main": "lib/main.js", 7 | "scripts": { 8 | "build": "tsc", 9 | "format": "prettier --write '**/*.ts'", 10 | "format-check": "prettier --check '**/*.ts'", 11 | "package": "ncc build --external encoding --source-map", 12 | "lint": "eslint --max-warnings 0 src/**/*.ts", 13 | "all": "npm run format && npm run lint && npm run build && npm run package" 14 | }, 15 | "keywords": [ 16 | "actions", 17 | "node", 18 | "setup" 19 | ], 20 | "devDependencies": { 21 | "@types/node": "20.17.19", 22 | "@typescript-eslint/eslint-plugin": "6.21.0", 23 | "@typescript-eslint/parser": "6.21.0", 24 | "@vercel/ncc": "0.38.3", 25 | "eslint": "8.57.1", 26 | "eslint-plugin-github": "4.10.2", 27 | "eslint-plugin-prettier": "5.2.3", 28 | "prettier": "3.5.1", 29 | "typescript": "5.7.3" 30 | }, 31 | "dependencies": { 32 | "@actions/core": "1.11.1", 33 | "@actions/github": "6.0.0" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/src/main.ts: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | import * as github from "@actions/github"; 16 | import * as core from "@actions/core"; 17 | 18 | async function run(): Promise { 19 | const override = core.getInput("override") === "true"; 20 | const message = core.getInput("error_message"); 21 | const token = core.getInput("token"); 22 | const octokit = github.getOctokit(token); 23 | 24 | const repoName = process.env.GITHUB_REPOSITORY; 25 | if (!repoName) { 26 | core.setFailed("No repository detected."); 27 | return; 28 | } 29 | 30 | const parts = repoName.split("/"); 31 | const owner = parts[0]; 32 | const repo = parts[1]; 33 | 34 | const repoResp = await octokit.rest.repos.get({ 35 | owner, 36 | repo, 37 | }); 38 | 39 | core.setOutput("is_private", repoResp.data.private); 40 | 41 | if (repoResp.data.private && !override) { 42 | core.setFailed(`${repoName}: ${message}`); 43 | return; 44 | } 45 | } 46 | run(); 47 | -------------------------------------------------------------------------------- /.github/actions/privacy-check/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./lib", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "**/*.test.ts"] 12 | } 13 | -------------------------------------------------------------------------------- /.github/actions/rng/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "RNG" 16 | description: "Generate random bytes using /dev/urandom. WARNING: only use for non-cryptographic purposes (the results will show in logs)." 17 | inputs: 18 | length: 19 | description: "Number of raw random bytes to generate." 20 | default: 16 21 | required: false 22 | outputs: 23 | random: 24 | description: > 25 | The output of the RNG encoded in hexadecimal. 26 | Note: Due to the encoding, the length of the string will be twice as long as the input length requested by the user. 27 | value: "${{ steps.rng.outputs.result }}" 28 | 29 | runs: 30 | using: "composite" 31 | steps: 32 | - name: Generate random 33 | id: rng 34 | shell: bash 35 | env: 36 | LENGTH: "${{ inputs.length }}" 37 | run: | 38 | set -euo pipefail 39 | 40 | # Note: if we need to support different encoding, we can use 41 | # `head -c"$LENGTH" /dev/urandom | xxd ...` instead. 42 | # -l: the number of bytes 43 | # -c: the number of bytes displayed per column 44 | value=$(xxd -p -l "$LENGTH" -c "$LENGTH" /dev/urandom) 45 | echo "result=$value" >> "$GITHUB_OUTPUT" 46 | -------------------------------------------------------------------------------- /.github/actions/secure-builder-checkout/action.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "secure-builder-checkout" 16 | description: "Checkout the builder repository" 17 | 18 | inputs: 19 | repository: 20 | description: "The repository to check out." 21 | required: true 22 | ref: 23 | description: "The ref to checkout." 24 | required: true 25 | path: 26 | # Same argument to https://github.com/actions/checkout. 27 | description: "Relative path under $GITHUB_WORKSPACE to place the repository." 28 | required: true 29 | token: 30 | description: "Token used to fetch the repository." 31 | required: false 32 | default: ${{ github.token }} 33 | runs: 34 | using: "composite" 35 | steps: 36 | # TODO(968): verify the hash is on the main branch 37 | # and has an associated release. This will require exceptions 38 | # for e2e tests. 39 | - name: Checkout the repository 40 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 41 | with: 42 | repository: ${{ inputs.repository }} 43 | ref: ${{ inputs.ref }} 44 | token: ${{ inputs.token }} 45 | path: ${{ inputs.path }} 46 | persist-credentials: false 47 | fetch-depth: 1 48 | -------------------------------------------------------------------------------- /.github/actions/secure-project-checkout-node/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Checkout a repository for a Node project" 16 | description: "Checkout and setup the environment for a Node project" 17 | inputs: 18 | path: 19 | # Same argument to https://github.com/actions/checkout. 20 | description: "Relative path under $GITHUB_WORKSPACE to place the repository." 21 | required: true 22 | token: 23 | description: "The token to use." 24 | required: false 25 | # Same default as https://github.com/actions/checkout/blob/main/action.yml#L24. 26 | default: ${{ github.token }} 27 | node-version: 28 | description: "The Node version to use, as expected by https://github.com/actions/setup-node." 29 | required: true 30 | 31 | runs: 32 | using: "composite" 33 | steps: 34 | # Note: this assumes to top-level re-usable workflow 35 | # has checkout'ed the builder repository using 36 | # `.github/actions/secure-builder-checkout`. 37 | - name: Checkout the repository with user ref 38 | uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-project-checkout 39 | with: 40 | token: ${{ inputs.token }} 41 | path: ${{ inputs.path }} 42 | 43 | - name: Set up Node environment 44 | uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 45 | with: 46 | node-version: ${{ inputs.node-version }} 47 | -------------------------------------------------------------------------------- /.github/actions/secure-upload-artifact/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure artifact upload" 16 | description: "Upload an artifact and outputs its SHA256" 17 | inputs: 18 | name: 19 | description: "Artifact name." 20 | default: "artifact" 21 | required: false 22 | path: 23 | description: "Artifact path. (Note: This is expected to be a file name in the working directory)." 24 | required: true 25 | outputs: 26 | sha256: 27 | description: "SHA256 of the file." 28 | value: "${{ steps.compute-digest.outputs.sha256 }}" 29 | 30 | runs: 31 | using: "composite" 32 | steps: 33 | - name: Compute binary hash 34 | id: compute-digest 35 | uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@main 36 | with: 37 | path: "${{ inputs.path }}" 38 | 39 | - name: Upload the artifact 40 | uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 41 | with: 42 | name: "${{ inputs.name }}" 43 | path: "${{ inputs.path }}" 44 | if-no-files-found: error 45 | retention-days: 5 46 | -------------------------------------------------------------------------------- /.github/actions/sign-attestations/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/sign-attestations/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* -------------------------------------------------------------------------------- /.github/actions/sign-attestations/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/sign-attestations/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: unit-test 61 | unit-test: node_modules/.installed ## Runs all unit tests. 62 | npm run test 63 | 64 | .PHONY: lint 65 | lint: node_modules/.installed ## Runs eslint. 66 | npm run lint 67 | -------------------------------------------------------------------------------- /.github/actions/sign-attestations/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Sign Attestations" 16 | description: "Signs in-toto attestations with Sigstore signing" 17 | inputs: 18 | attestations: 19 | description: "Folder of attestations to sign" 20 | required: true 21 | payload-type: 22 | description: "The in-toto payload type of the attestations" 23 | required: false 24 | default: "application/vnd.in-toto+json" 25 | output-folder: 26 | description: "Output folder to place attestations" 27 | required: true 28 | runs: 29 | using: "node20" 30 | main: "dist/index.js" 31 | -------------------------------------------------------------------------------- /.github/actions/sign-attestations/jest.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('ts-jest').JestConfigWithTsJest} */ 2 | module.exports = { 3 | preset: 'ts-jest', 4 | testEnvironment: 'node', 5 | }; -------------------------------------------------------------------------------- /.github/actions/sign-attestations/jest.setup.js: -------------------------------------------------------------------------------- 1 | console.error = jest.fn(); 2 | -------------------------------------------------------------------------------- /.github/actions/sign-attestations/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sign-attestations", 3 | "version": "0.0.1", 4 | "description": "Signs in-toto attestations with Sigstore signing", 5 | "main": "lib/main.js", 6 | "scripts": { 7 | "ci": "npm ci", 8 | "build": "tsc", 9 | "format": "prettier --write '**/*.ts'", 10 | "format-check": "prettier --check '**/*.ts'", 11 | "package": "ncc build --external encoding --source-map", 12 | "lint": "eslint --max-warnings 0 src/**/*.ts", 13 | "all": "npm ci && npm run format && npm run lint && npm run build && npm run package" 14 | }, 15 | "keywords": [], 16 | "author": "", 17 | "license": "ISC", 18 | "devDependencies": { 19 | "@types/make-fetch-happen": "10.0.4", 20 | "@types/node": "20.17.19", 21 | "@typescript-eslint/eslint-plugin": "6.21.0", 22 | "@typescript-eslint/parser": "6.21.0", 23 | "@vercel/ncc": "0.38.3", 24 | "eslint": "8.57.1", 25 | "eslint-plugin-github": "4.10.2", 26 | "eslint-plugin-prettier": "5.2.3", 27 | "prettier": "3.5.1", 28 | "typescript": "5.7.3" 29 | }, 30 | "dependencies": { 31 | "@actions/core": "1.11.1", 32 | "@actions/github": "6.0.0", 33 | "@sigstore/rekor-types": "2.0.0", 34 | "sigstore": "2.3.1", 35 | "tscommon": "file:../tscommon/tscommon-0.0.0.tgz" 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /.github/actions/sign-attestations/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./lib", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "**/*.test.ts"] 12 | } -------------------------------------------------------------------------------- /.github/actions/tscommon/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/tscommon/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/ 100 | package/ 101 | dist/ 102 | -------------------------------------------------------------------------------- /.github/actions/tscommon/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/tscommon/README.md: -------------------------------------------------------------------------------- 1 | # tscommon library 2 | 3 | This is an internal library of common utilities. 4 | 5 | ## Links 6 | 7 | https://stackoverflow.com/questions/15806241/how-to-specify-local-modules-as-npm-package-dependencies 8 | https://github.com/bersling/typescript-library-starter/blob/master 9 | https://www.tsmean.com/articles/how-to-write-a-typescript-library/ 10 | 11 | ## Error and fix 12 | 13 | To avoid `npm ci` error: 14 | 15 | ```shell 16 | npm ERR! code EUSAGE 17 | npm ERR! 18 | npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing. 19 | npm ERR! 20 | npm ERR! Missing: tscommon@0.0.0 from lock file 21 | npm ERR! 22 | npm ERR! Clean install a project 23 | ``` 24 | 25 | Use: 26 | 27 | ```shell 28 | cd tscommon 29 | npm pack 30 | cd ../another-action 31 | npm install --save ../tscommon/tscommon-0.0.0.tgz 32 | ``` 33 | 34 | ## Changes 35 | 36 | Any changes to this code need to be reflected in dependent Actions as shown above. 37 | Run the script: 38 | 39 | ```bash 40 | cd tscommon 41 | npm run all 42 | npm run package 43 | bash update-actions.sh 44 | ``` 45 | -------------------------------------------------------------------------------- /.github/actions/tscommon/jest.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('ts-jest').JestConfigWithTsJest} */ 2 | module.exports = { 3 | preset: 'ts-jest', 4 | testEnvironment: 'node', 5 | }; -------------------------------------------------------------------------------- /.github/actions/tscommon/jest.setup.js: -------------------------------------------------------------------------------- 1 | console.error = jest.fn(); 2 | -------------------------------------------------------------------------------- /.github/actions/tscommon/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "tscommon", 3 | "version": "0.0.0", 4 | "private": true, 5 | "description": "Library for common utilities for TS Actions.", 6 | "main": "dist/index.js", 7 | "types": "dist/index.d.ts", 8 | "files": [ 9 | "/dist" 10 | ], 11 | "scripts": { 12 | "build": "tsc", 13 | "format": "prettier --write 'src/**/*.ts'", 14 | "format-check": "prettier --check 'src/**/*.ts'", 15 | "lint": "eslint src/**/*.ts", 16 | "package": "npm pack", 17 | "all": "npm ci && npm run format && npm run lint && npm run build", 18 | "test": "jest" 19 | }, 20 | "keywords": [ 21 | "file", 22 | "node" 23 | ], 24 | "devDependencies": { 25 | "@types/jest": "29.5.14", 26 | "@types/node": "20.17.19", 27 | "@typescript-eslint/eslint-plugin": "6.21.0", 28 | "@typescript-eslint/parser": "6.21.0", 29 | "@vercel/ncc": "0.38.3", 30 | "eslint": "8.57.1", 31 | "eslint-plugin-github": "4.10.2", 32 | "eslint-plugin-prettier": "5.2.3", 33 | "prettier": "3.5.1", 34 | "ts-jest": "29.2.5", 35 | "typescript": "5.7.3" 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /.github/actions/tscommon/src/index.ts: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | export * from "./file"; 16 | -------------------------------------------------------------------------------- /.github/actions/tscommon/tscommon-0.0.0.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/slsa-framework/slsa-github-generator/24e3463c4c5882ca81483811c54212c50464a629/.github/actions/tscommon/tscommon-0.0.0.tgz -------------------------------------------------------------------------------- /.github/actions/tscommon/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./dist", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true, /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | "declaration": true /* Generate .d.ts files for every TypeScript or JavaScript file inside your project. */ 11 | }, 12 | "exclude": ["node_modules", "**/*.test.ts", "./dist/**/*"] 13 | } 14 | -------------------------------------------------------------------------------- /.github/actions/verify-token/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/verify-token/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* 100 | 101 | # Artifacts 102 | client.cert 103 | -------------------------------------------------------------------------------- /.github/actions/verify-token/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /.github/actions/verify-token/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: unit-test 61 | unit-test: node_modules/.installed ## Runs all unit tests. 62 | npm run test 63 | 64 | .PHONY: lint 65 | lint: node_modules/.installed ## Runs eslint. 66 | npm run lint 67 | -------------------------------------------------------------------------------- /.github/actions/verify-token/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: Verify a token 16 | 17 | description: "Verify a token" 18 | 19 | inputs: 20 | slsa-workflow-recipient: 21 | description: "The audience of the token" 22 | required: true 23 | 24 | slsa-unverified-token: 25 | description: "The token to verify" 26 | required: true 27 | 28 | token: 29 | description: "The GitHub Actions token." 30 | required: false 31 | default: ${{ github.token }} 32 | 33 | output-predicate: 34 | description: "The filename to place the output SLSA predicate based on the verified token." 35 | required: true 36 | 37 | builder-interface-type: 38 | description: "The type of the builder. One of [generator, builder]." 39 | required: true 40 | 41 | outputs: 42 | slsa-verified-token: 43 | description: "Verified SLSA token." 44 | 45 | tool-repository: 46 | description: "The tool repository taken from the signing certificate." 47 | 48 | tool-ref: 49 | description: "The tool repository ref taken from the signing certificate." 50 | 51 | runs: 52 | using: "node20" 53 | main: "dist/index.js" 54 | -------------------------------------------------------------------------------- /.github/actions/verify-token/jest.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('ts-jest').JestConfigWithTsJest} */ 2 | module.exports = { 3 | preset: "ts-jest", 4 | testEnvironment: "node", 5 | }; 6 | -------------------------------------------------------------------------------- /.github/actions/verify-token/jest.setup.js: -------------------------------------------------------------------------------- 1 | console.error = jest.fn(); 2 | -------------------------------------------------------------------------------- /.github/actions/verify-token/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "verify-token", 3 | "version": "1.0.0", 4 | "description": "Verify the SLSA token and generate a SLSA predicate", 5 | "main": "lib/index.js", 6 | "types": "lib/index.d.ts", 7 | "files": [ 8 | "/dist", 9 | "/store" 10 | ], 11 | "scripts": { 12 | "ci": "npm ci", 13 | "build": "tsc", 14 | "format": "prettier --write '**/*.ts'", 15 | "format-check": "prettier --check '**/*.ts'", 16 | "package": "ncc build --external encoding --source-map", 17 | "lint": "eslint --max-warnings 0 src/**/*.ts", 18 | "all": "npm run format && npm run lint && npm run build && npm run package", 19 | "test": "jest" 20 | }, 21 | "keywords": [], 22 | "author": "", 23 | "license": "Apache-2.0", 24 | "dependencies": { 25 | "@actions/core": "1.11.1", 26 | "@actions/github": "6.0.0", 27 | "@octokit/webhooks-types": "7.6.1", 28 | "@sigstore/rekor-types": "2.0.0", 29 | "sigstore": "2.3.1", 30 | "tscommon": "file:../tscommon/tscommon-0.0.0.tgz", 31 | "yaml": "2.5.1" 32 | }, 33 | "devDependencies": { 34 | "@types/node": "20.17.19", 35 | "@types/jest": "29.5.14", 36 | "@types/make-fetch-happen": "10.0.4", 37 | "@typescript-eslint/eslint-plugin": "6.21.0", 38 | "@typescript-eslint/parser": "6.21.0", 39 | "@vercel/ncc": "0.38.3", 40 | "eslint": "8.57.1", 41 | "eslint-plugin-github": "4.10.2", 42 | "eslint-plugin-prettier": "5.2.3", 43 | "jest": "29.7.0", 44 | "prettier": "3.5.1", 45 | "ts-jest": "29.2.5", 46 | "typescript": "5.7.3" 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /.github/actions/verify-token/src/slsatypes02.ts: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022 SLSA Authors 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | https://www.apache.org/licenses/LICENSE-2.0 7 | Unless required by applicable law or agreed to in writing, software 8 | distributed under the License is distributed on an "AS IS" BASIS, 9 | WIHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 | See the License for the specific language governing permissions and 11 | limitations under the License. 12 | */ 13 | 14 | export interface Builder { 15 | id: string; 16 | } 17 | 18 | export interface DigestSet { 19 | [key: string]: string; 20 | } 21 | 22 | export interface ConfigSource { 23 | uri?: string; 24 | digest?: DigestSet; 25 | entryPoint?: string; 26 | } 27 | 28 | export interface Invocation { 29 | configSource?: ConfigSource; 30 | // eslint-disable-next-line @typescript-eslint/no-explicit-any 31 | parameters?: any; 32 | // eslint-disable-next-line @typescript-eslint/no-explicit-any 33 | environment?: any; 34 | } 35 | 36 | export interface Completeness { 37 | parameters?: boolean; 38 | environment?: boolean; 39 | materials?: boolean; 40 | } 41 | 42 | export interface Metadata { 43 | buildInvocationId?: string; 44 | buildStartedOn?: string; 45 | completeness?: Completeness; 46 | reproducible?: boolean; 47 | } 48 | 49 | export interface Material { 50 | uri: string; 51 | digest: DigestSet; 52 | } 53 | 54 | // SLSAPredicate is a SLSA v0.2 provenance predicate. 55 | export interface SLSAPredicate { 56 | builder: Builder; 57 | buildType: string; 58 | invocation?: Invocation; 59 | // eslint-disable-next-line @typescript-eslint/no-explicit-any 60 | buildConfig?: any; 61 | metadata: Metadata; 62 | materials?: Material[]; 63 | } 64 | -------------------------------------------------------------------------------- /.github/actions/verify-token/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */, 4 | "module": "commonjs" /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */, 5 | "outDir": "./lib" /* Redirect output structure to the directory. */, 6 | "rootDir": "./src" /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */, 7 | "strict": true /* Enable all strict type-checking options. */, 8 | "noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */, 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "lib", "dist", "**/*.test.ts"] 12 | } 13 | -------------------------------------------------------------------------------- /.github/pr-title-checker-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "LABEL": { 3 | "name": "title needs adjustment", 4 | "color": "EEEEEE" 5 | }, 6 | "CHECKS": { 7 | "regexp": "^(fix|feat|break|docs|chore|refactor|style|build|ci|revert|test)!?(\\(.*\\))?!?:.*" 8 | }, 9 | "MESSAGES": { 10 | "success": "PR title is valid", 11 | "failure": "PR title is invalid", 12 | "notice": "Title needs to pass regex '^(fix|feat|break|docs|chore|refactor|style|build|ci|revert|test)!?(\\(.*\\))?!?:.*" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | ... 4 | 5 | ## Testing Process 6 | 7 | ... 8 | 9 | ## Checklist 10 | 11 | - [ ] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) 12 | - [ ] Add a reference to related issues in the PR description. 13 | - [ ] Update documentation if applicable. 14 | - [ ] Add unit tests if applicable. 15 | - [ ] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. 16 | -------------------------------------------------------------------------------- /.github/workflows/configs-container/config-release.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Used for binary releases. 16 | version: 1 17 | env: 18 | - GO111MODULE=on 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | dir: internal/builders/container/ 28 | binary: slsa-generator-container-{{ .Os }}-{{ .Arch }} 29 | -------------------------------------------------------------------------------- /.github/workflows/configs-docker/config-release.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Used for binary releases. 16 | version: 1 17 | env: 18 | - GO111MODULE=on 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | dir: internal/builders/docker/ 28 | binary: slsa-builder-docker-{{ .Os }}-{{ .Arch }} 29 | # ldflags: -s -w ldflags remove the debugging information from the binary, which reduce the size of the binary. 30 | ldflags: 31 | - "-s" 32 | - "-w" 33 | -------------------------------------------------------------------------------- /.github/workflows/configs-generic/config-release.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Used for binary releases. 16 | version: 1 17 | env: 18 | - GO111MODULE=on 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | dir: internal/builders/generic/ 28 | binary: slsa-generator-generic-{{ .Os }}-{{ .Arch }} 29 | -------------------------------------------------------------------------------- /.github/workflows/configs-go/config-ldflags-main-dir.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Used for pre-submit tests. 16 | version: 1 17 | env: 18 | - GO111MODULE=on 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | # Note: main is not necessary. 28 | main: main.go 29 | dir: internal/builders/go/e2e-presubmits/ 30 | binary: binary-{{ .Os }}-{{ .Arch }} 31 | ldflags: 32 | - "{{ .Env.VERSION }}" 33 | - "{{ .Env.COMMIT }}" 34 | - "{{ .Env.BRANCH }}" 35 | -------------------------------------------------------------------------------- /.github/workflows/configs-go/config-release.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Used for pre-submit tests. 16 | version: 1 17 | env: 18 | - GO111MODULE=on 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | dir: internal/builders/go/ 28 | binary: slsa-builder-go-{{ .Os }}-{{ .Arch }} 29 | # ldflags: -s -w ldflags remove the debugging information from the binary, which reduce the size of the binary. 30 | ldflags: 31 | - "-s" 32 | - "-w" 33 | -------------------------------------------------------------------------------- /.github/workflows/pre-submit.apis.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: pre-submit apis 16 | 17 | on: 18 | push: 19 | branches: [main, "*"] 20 | pull_request: 21 | # The branches below must be a subset of the branches above 22 | branches: [main] 23 | merge_group: 24 | workflow_dispatch: 25 | 26 | permissions: 27 | contents: read # Needed to check out the repo. 28 | 29 | jobs: 30 | verify-safe-apis: 31 | name: verify safe APIs 32 | runs-on: ubuntu-latest 33 | steps: 34 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 35 | - name: Check safe file systems APIs 36 | run: ./.github/workflows/scripts/pre-submit.apis/verify-safefs.sh 37 | -------------------------------------------------------------------------------- /.github/workflows/pre-submit.delegators.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: pre-submit delegators 16 | 17 | on: 18 | pull_request: 19 | branches: [main] 20 | merge_group: 21 | workflow_dispatch: 22 | 23 | permissions: read-all 24 | 25 | jobs: 26 | checkout: 27 | name: verify identical delegators 28 | runs-on: ubuntu-latest 29 | steps: 30 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 31 | - name: Compare diff between the delegator workflows 32 | run: ./.github/workflows/scripts/pre-submit.delegators/compare-diff.sh 33 | -------------------------------------------------------------------------------- /.github/workflows/pre-submit.e2e.maven.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: pre-submit e2e maven 16 | 17 | on: 18 | # builder_maven_slsa3.yml relies on .github/actions/verify-token, which does not support merge_group and pull_request events. 19 | push: 20 | workflow_dispatch: 21 | 22 | permissions: read-all 23 | 24 | env: 25 | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 26 | 27 | jobs: 28 | build: 29 | permissions: 30 | id-token: write # For signing. 31 | contents: read # For repo checkout of private repos. 32 | actions: read # For getting workflow run on private repos. 33 | uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main 34 | with: 35 | directory: ./e2e/maven/workflow_dispatch 36 | -------------------------------------------------------------------------------- /.github/workflows/pre-submit.pr-title.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: PR Title 16 | 17 | on: 18 | pull_request: 19 | types: [opened, edited, reopened, synchronize] 20 | merge_group: 21 | 22 | permissions: read-all 23 | 24 | jobs: 25 | validate: 26 | name: Validate PR Title 27 | runs-on: ubuntu-latest 28 | steps: 29 | - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3 30 | with: 31 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 32 | configuration_path: ".github/pr-title-checker-config.json" 33 | -------------------------------------------------------------------------------- /.github/workflows/schedule.issue-reopener.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "TODO Issue Reopener" 16 | 17 | on: 18 | workflow_dispatch: 19 | schedule: 20 | - cron: "0 0 * * *" 21 | 22 | permissions: {} 23 | 24 | jobs: 25 | issue-reopener: 26 | runs-on: ubuntu-latest 27 | permissions: 28 | issues: write 29 | steps: 30 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 31 | - name: Issue Reopener 32 | uses: ianlewis/todo-issue-reopener@8fbb85e63a9f9b6a4d92d5422cda6a55dfbd266d # v1.6.0 33 | -------------------------------------------------------------------------------- /.github/workflows/scripts/e2e-assert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | source "./.github/workflows/scripts/assert.sh" 18 | 19 | e2e_assert_eq() { 20 | if ! assert_eq "$@"; then 21 | exit 1 22 | fi 23 | } 24 | 25 | e2e_assert_not_eq() { 26 | if ! assert_not_eq "$@"; then 27 | exit 1 28 | fi 29 | } 30 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.actions/checkout.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | # Verify that no internal Actions are using `actions/checkout` 18 | # See reasoning in ./github/actions/README.md 19 | 20 | set -euo pipefail 21 | 22 | # NOTE: All actions and workflows should not use actions/checkout. They should 23 | # use an action that uses secure-checkout such as checkout-go, checkout-node 24 | # etc. or use secure-checkout directly. 25 | # TODO(github.com/slsa-framework/slsa-github-generator/issues/626): Check workflows as well and not just actions. 26 | # TODO(github.com/slsa-framework/slsa-github-generator/issues/626): Disallow checkouts for repos other than the repo that triggered the action(i.e. github.repository). 27 | results=$( 28 | grep -r \ 29 | --include='*.yml' \ 30 | --include='*.yaml' \ 31 | --exclude-dir='node_modules' \ 32 | --exclude-dir='secure-project-checkout' \ 33 | --exclude-dir='secure-builder-checkout' \ 34 | -e 'uses: *actions/checkout' \ 35 | .github/actions/* || true 36 | ) 37 | if [[ "$results" != "" ]]; then 38 | echo "Some Actions are using 'actions/checkout'" 39 | echo "$results" 40 | exit 1 41 | fi 42 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.actions/secure-upload-folder.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | compare_trees() { 20 | local upload_tree="$1" 21 | local download_tree="$2" 22 | if [[ "${upload_tree}" != "${download_tree}" ]]; then 23 | echo "Folder trees differ: ${upload_tree} != ${download_tree}" 24 | echo "Upload tree: ${upload_tree}" 25 | echo "Download tree: ${download_tree}" 26 | exit 1 27 | fi 28 | } 29 | 30 | original_wd="$PWD" 31 | 32 | download_folder="$1" 33 | upload_folder="$2" 34 | 35 | tree "${download_folder}" 36 | cd "${upload_folder}" 37 | upload_tree=$(tree .) 38 | cd "${original_wd}" 39 | cd "${download_folder}/${upload_folder}" 40 | download_tree=$(tree .) 41 | 42 | compare_trees "${upload_tree}" "${download_tree}" 43 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.apis/verify-safefs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | # Verify that only safe file functions are used. 20 | results=$( 21 | find .github/actions/ actions/ -maxdepth 3 -name '*.ts' -not -path "*/tscommon/*" -not -path "*/__tests__/*" -type f -print0 | 22 | xargs -0 grep -P '(import.*|require.*)"fs"' || 23 | true 24 | ) 25 | if [[ "$results" != "" ]]; then 26 | echo "Some Actions are using unsafe file system functions" 27 | echo "$results" 28 | exit 1 29 | fi 30 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.delegators/compare-diff.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | actual_diff=$( 20 | diff .github/workflows/delegator_generic_slsa3.yml .github/workflows/delegator_lowperms-generic_slsa3.yml || 21 | true 22 | ) 23 | expected_diff=$(cat .github/workflows/scripts/pre-submit.delegators/expected.diff) 24 | 25 | if [[ "$expected_diff" != "$actual_diff" ]]; then 26 | echo "Unexpected differences between the delegator workflows" 27 | echo "$actual_diff" 28 | exit 1 29 | fi 30 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.delegators/expected.diff: -------------------------------------------------------------------------------- 1 | 15c15,19 2 | < name: SLSA builder delegator 3 | --- 4 | > # This is a version of the delegator workflow that requires as few permissions 5 | > # as possible. TRWs may use this workflow so that they may request fewer 6 | > # GITHUB_TOKEN permissions from end-users. 7 | > 8 | > name: SLSA low-permission builder delegator 9 | 76a81 10 | > 11 | 105c110 12 | < slsa-workflow-recipient: "delegator_generic_slsa3.yml" 13 | --- 14 | > slsa-workflow-recipient: "delegator_lowperms-generic_slsa3.yml" 15 | 137,139c142 16 | < # TODO(#2076): Use dynamic GITHUB_TOKEN permissions. 17 | < contents: write # To release assets. 18 | < packages: write # To publish to GitHub packages. 19 | --- 20 | > contents: read # To checkout private repos. 21 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.e2e.container-based.default.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright 2022 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | source "./.github/workflows/scripts/e2e-verify.common.sh" 20 | 21 | ATTESTATION=$(cat "$PROVENANCE") 22 | 23 | # Verify subject 24 | e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY" 25 | 26 | WORKFLOW_PATH=$(echo "${GITHUB_WORKFLOW_REF%@*}" | cut -d'/' -f3-) 27 | 28 | # Verify all common provenance fields. 29 | PREDICATE_CONTENT=$(echo "$ATTESTATION" | jq -r '.predicate') 30 | e2e_verify_common_all_v1 "$PREDICATE_CONTENT" 31 | e2e_verify_predicate_v1_runDetails_builder_id "$PREDICATE_CONTENT" "https://github.com/$GITHUB_HEAD_REPOSITORY/$WORKFLOW_PATH@$HEAD_SHA" 32 | e2e_verify_predicate_v1_buildDefinition_buildType "$PREDICATE_CONTENT" "https://slsa.dev/container-based-build/v0.1?draft" 33 | 34 | # Verify source: note that the source ref in the uri for pull request events is omitted, 35 | # the source digest is present. Checking out at a pull request merge reference is not 36 | # supported. 37 | e2e_verify_predicate_v1_buildDefinition_externalParameters_source "$PREDICATE_CONTENT" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}" 38 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.e2e.generic.default.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright 2022 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | source "./.github/workflows/scripts/e2e-verify.common.sh" 20 | 21 | # TODO(github.com/slsa-framework/slsa-github-generator/issues/129): Address base64 output format. 22 | ATTESTATION=$(cat "$PROVENANCE") 23 | 24 | # Verify common provenance fields. 25 | e2e_verify_common_all "$ATTESTATION" 26 | 27 | e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY" 28 | e2e_verify_predicate_buildType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/generic@v1" 29 | -------------------------------------------------------------------------------- /.github/workflows/scripts/pre-submit.markdown/markdown-toc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | # This script runs markdown-toc on Markdown files and detects if the table of 18 | # contents has not been regenerated. 19 | 20 | set -euo pipefail 21 | 22 | if [ "$(GIT_PAGER="cat" git diff --ignore-space-at-eol | wc -l)" -gt "0" ]; then 23 | echo "Detected TOC changes. See status below:" 24 | GIT_PAGER="cat" git diff 25 | exit 1 26 | fi 27 | -------------------------------------------------------------------------------- /.github/workflows/scripts/schedule.actions/verify-container_based-predicate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | source "./.github/workflows/scripts/e2e-assert.sh" 20 | source "./.github/workflows/scripts/e2e-verify.common.sh" 21 | 22 | echo "PREDICATE: $PREDICATE" 23 | PREDICATE_CONTENT=$(<"$PREDICATE") 24 | echo "PREDICATE_CONTENT: $PREDICATE_CONTENT" 25 | 26 | # Verify common predicate fields. 27 | e2e_verify_common_all_v1 "$PREDICATE_CONTENT" 28 | e2e_verify_predicate_v1_buildDefinition_buildType "$PREDICATE_CONTENT" "https://slsa.dev/container-based-build/v0.1?draft" 29 | e2e_verify_predicate_v1_runDetails_builder_id "$PREDICATE_CONTENT" "https://github.com/$GITHUB_REPOSITORY/.github/workflows/e2e.create-container_based-predicate.schedule.yml@$GITHUB_REF" 30 | 31 | # Verify source 32 | e2e_verify_predicate_v1_buildDefinition_externalParameters_source "$PREDICATE_CONTENT" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}" 33 | # Verify resolved dependencies contains both the source and repo commit (first) and then builder binary with a sha256 digest of its binary. 34 | e2e_verify_predicate_v1_buildDefinition_resolvedDependencies "$PREDICATE_CONTENT" "[{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}},{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha256\":\"46b3ce0fbb2998880c5518225b41ddf49fc0850b9b9a25e1ac944bc587c03ea7\"}}]" 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore the .git directory (for markdownlint) 2 | .git 3 | 4 | # Binaries for programs and plugins 5 | *.exe 6 | *.exe~ 7 | *.dll 8 | *.so 9 | *.dylib 10 | 11 | # Test binary, built with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Dependency directories (remove the comment below to include it) 18 | vendor/ 19 | node_modules/ 20 | 21 | # maven 22 | target/ 23 | 24 | # Go workspace file 25 | go.work 26 | go.work.sum 27 | 28 | # goland 29 | .idea 30 | 31 | -------------------------------------------------------------------------------- /.markdownlintignore: -------------------------------------------------------------------------------- 1 | # Ignore the .git directory 2 | .git 3 | 4 | # Dependency directories (remove the comment below to include it) 5 | vendor/ 6 | node_modules/ 7 | 8 | # Vendored third_party code. 9 | third_party/ 10 | -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | extends: default 17 | 18 | ignore: | 19 | node_modules/ 20 | vendor/ 21 | 22 | rules: 23 | comments: 24 | # prettier formats comments one space from content 25 | min-spaces-from-content: 1 26 | document-start: disable 27 | line-length: disable 28 | truthy: 29 | allowed-values: ["true", "false"] 30 | # Allow Github Actions keys like 'on' 31 | check-keys: false 32 | comments-indentation: false 33 | indentation: 34 | spaces: 2 35 | indent-sequences: true 36 | check-multi-line-strings: false 37 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @slsa-framework/tool-maintainers @slsa-framework/slsa-tool-reviewers 2 | SECURITY.md @slsa-framework/tool-maintainers @slsa-framework/slsa-tool-reviewers 3 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | Please read the [Code of Conduct] in the [slsa-framework/governance] repository. 4 | 5 | [code of conduct]: https://github.com/slsa-framework/governance/blob/main/8._Code_of_Conduct.md 6 | [slsa-framework/governance]: https://github.com/slsa-framework/governance 7 | -------------------------------------------------------------------------------- /RENOVATE.md: -------------------------------------------------------------------------------- 1 | # Renovate Best Practices and SLSA-GitHub-Generator 2 | 3 | Renovate helps users to enforce security best practices when continuously upgrading GitHub actions. 4 | 5 | Renovate provides a configuration snippet, which is used by most GitHub projects, to [automatically pin dependencies using the digest](https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests) instead of git tags: `helpers:pinGitHubActionDigests`. 6 | 7 | To add an exception to this rule for slsa-github-generator add the following package rule to your `renovate.json` config. 8 | 9 | ```json 10 | "packageRules": [ 11 | { 12 | "matchManagers": ["github-actions"], 13 | "matchPackageNames": ["slsa-framework/slsa-github-generator"], 14 | "pinDigests": false 15 | } 16 | ] 17 | ``` 18 | 19 | This will enable you to receive upgrades for the generator and keep the tagged version. 20 | -------------------------------------------------------------------------------- /actions/delegator/random/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "random generation for delegator" 16 | description: "Generate random bytes using /dev/urandom. WARNING: only use for non-cryptographic purposes (the results will show in logs)." 17 | inputs: 18 | length: 19 | description: "Number of raw random bytes to generate." 20 | default: 16 21 | required: false 22 | outputs: 23 | random: 24 | description: > 25 | The output of the RNG encoded in hexadecimal. 26 | Note: Due to the encoding, the length of the string will be twice as long as the input length requested by the user. 27 | value: "${{ steps.rng.outputs.random }}" 28 | 29 | runs: 30 | using: "composite" 31 | steps: 32 | - name: Generate random value 33 | id: rng 34 | uses: slsa-framework/slsa-github-generator/.github/actions/rng@main 35 | -------------------------------------------------------------------------------- /actions/delegator/secure-attestations-download/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure attestations download for delegator" 16 | description: "Download a set of attestations and verify their SHA256" 17 | inputs: 18 | name: 19 | description: "Artifact name. (Note: this is a name given to an upload, not the path or filename)." 20 | required: true 21 | path: 22 | description: "The path to download the attestations into. (Must be under the GITHUB_WORKSPACE)" 23 | required: false 24 | default: "." 25 | sha256: 26 | description: "SHA256 of the file for verification." 27 | required: true 28 | 29 | runs: 30 | using: "composite" 31 | steps: 32 | - name: Download the attestations 33 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main 34 | with: 35 | name: ${{ inputs.name }} 36 | path: ${{ inputs.path }} 37 | sha256: ${{ inputs.sha256 }} 38 | -------------------------------------------------------------------------------- /actions/delegator/secure-download-folder/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure folder download for delegator" 16 | description: "Download a folder and verify their SHA256" 17 | inputs: 18 | name: 19 | description: "Artifact name. (Note: this is a name given to an upload, not the path or filename)." 20 | required: true 21 | path: 22 | description: "The path to download the attestations into. (Must be under the GITHUB_WORKSPACE)" 23 | required: false 24 | default: "." 25 | sha256: 26 | description: "SHA256 of the file for verification." 27 | required: true 28 | 29 | runs: 30 | using: "composite" 31 | steps: 32 | - name: Download the folder 33 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main 34 | with: 35 | name: ${{ inputs.name }} 36 | path: ${{ inputs.path }} 37 | sha256: ${{ inputs.sha256 }} 38 | -------------------------------------------------------------------------------- /actions/delegator/secure-upload-folder/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure folder upload for delegator" 16 | description: "Upload a folder as a tarball and outputs its SHA256" 17 | inputs: 18 | name: 19 | description:: > 20 | Artifact name. 21 | The caller is responsible to provide a name that is unique and does not collise with other artifacts. 22 | An example is to use `${RNG}-artifact`. 23 | required: true 24 | path: 25 | description: "Path to the folder" 26 | required: true 27 | outputs: 28 | sha256: 29 | description: "SHA256 of the uploaded tarball." 30 | value: "${{ steps.upload.outputs.sha256 }}" 31 | 32 | runs: 33 | using: "composite" 34 | steps: 35 | - name: Upload the folder 36 | id: upload 37 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main 38 | with: 39 | name: ${{ inputs.name }} 40 | path: ${{ inputs.path }} 41 | -------------------------------------------------------------------------------- /actions/delegator/setup-generic/.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /actions/delegator/setup-generic/.gitignore: -------------------------------------------------------------------------------- 1 | # Dependency directory 2 | node_modules 3 | 4 | # Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | 13 | # Diagnostic reports (https://nodejs.org/api/report.html) 14 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 15 | 16 | # Runtime data 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | 22 | # Directory for instrumented libs generated by jscoverage/JSCover 23 | lib-cov 24 | 25 | # Coverage directory used by tools like istanbul 26 | coverage 27 | *.lcov 28 | 29 | # nyc test coverage 30 | .nyc_output 31 | 32 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 33 | .grunt 34 | 35 | # Bower dependency directory (https://bower.io/) 36 | bower_components 37 | 38 | # node-waf configuration 39 | .lock-wscript 40 | 41 | # Compiled binary addons (https://nodejs.org/api/addons.html) 42 | build/Release 43 | 44 | # Dependency directories 45 | jspm_packages/ 46 | 47 | # TypeScript v1 declaration files 48 | typings/ 49 | 50 | # TypeScript cache 51 | *.tsbuildinfo 52 | 53 | # Optional npm cache directory 54 | .npm 55 | 56 | # Optional eslint cache 57 | .eslintcache 58 | 59 | # Optional REPL history 60 | .node_repl_history 61 | 62 | # Output of 'npm pack' 63 | *.tgz 64 | 65 | # Yarn Integrity file 66 | .yarn-integrity 67 | 68 | # dotenv environment variables file 69 | .env 70 | .env.test 71 | 72 | # parcel-bundler cache (https://parceljs.org/) 73 | .cache 74 | 75 | # next.js build output 76 | .next 77 | 78 | # nuxt.js build output 79 | .nuxt 80 | 81 | # vuepress build output 82 | .vuepress/dist 83 | 84 | # Serverless directories 85 | .serverless/ 86 | 87 | # FuseBox cache 88 | .fusebox/ 89 | 90 | # DynamoDB Local files 91 | .dynamodb/ 92 | 93 | # OS metadata 94 | .DS_Store 95 | Thumbs.db 96 | 97 | # Ignore built ts files 98 | __tests__/runner/* 99 | lib/**/* -------------------------------------------------------------------------------- /actions/delegator/setup-generic/.prettierignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | lib/ 3 | node_modules/ 4 | -------------------------------------------------------------------------------- /actions/delegator/setup-generic/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | SHELL := /bin/bash 16 | ACTION_NAME = $(shell basename "$$(pwd)") 17 | 18 | .PHONY: help 19 | help: ## Shows all targets and help from the Makefile (this message). 20 | @echo "$(ACTION_NAME) Makefile" 21 | @echo "Usage: make [COMMAND]" 22 | @echo "" 23 | @grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \ 24 | awk 'BEGIN {FS = "(:.*?|)## ?"}; { \ 25 | if (length($$1) > 0) { \ 26 | printf " \033[36m%-20s\033[0m %s\n", $$1, $$2; \ 27 | } else { \ 28 | if (length($$2) > 0) { \ 29 | printf "%s\n", $$2; \ 30 | } \ 31 | } \ 32 | }' 33 | 34 | node_modules/.installed: package.json package-lock.json 35 | npm ci 36 | touch node_modules/.installed 37 | 38 | .PHONY: action 39 | action: node_modules/.installed ## Builds the action. 40 | npm run build 41 | 42 | .PHONY: package 43 | package: action ## Builds the distribution package. 44 | npm run package 45 | 46 | .PHONY: clean 47 | clean: 48 | rm -rf dist lib node_modules 49 | 50 | ## Tools 51 | ##################################################################### 52 | 53 | .PHONY: format 54 | format: node_modules/.installed ## Formats code. 55 | npm run format 56 | 57 | ## Testing 58 | ##################################################################### 59 | 60 | .PHONY: lint 61 | lint: node_modules/.installed ## Runs eslint. 62 | npm run lint 63 | -------------------------------------------------------------------------------- /actions/delegator/setup-generic/README.md: -------------------------------------------------------------------------------- 1 | # setup-token 2 | 3 | The token has the following format: 4 | 5 | ```text 6 | token := B64_BUNDLE.B64_TOKEN 7 | ``` 8 | 9 | where 10 | 11 | ```text 12 | B64_TOKEN := base64(JSON_RAW_TOKEN) 13 | B64_BUNDLE := base64(Sign(B64_TOKEN)) 14 | ``` 15 | -------------------------------------------------------------------------------- /actions/delegator/setup-generic/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "setup-token", 3 | "version": "1.0.0", 4 | "description": "Create a SLSA token for the delegated workflow", 5 | "main": "lib/main.js", 6 | "scripts": { 7 | "ci": "npm ci", 8 | "build": "tsc", 9 | "format": "prettier --write '**/*.ts'", 10 | "format-check": "prettier --check '**/*.ts'", 11 | "package": "ncc build --source-map", 12 | "lint": "eslint --max-warnings 0 src/**/*.ts", 13 | "all": "npm ci && npm run format && npm run lint && npm run build && npm run package", 14 | "test": "echo \"Error: no test specified\" && exit 1" 15 | }, 16 | "bin": { 17 | "setup-token": "bin/setup-token.js" 18 | }, 19 | "keywords": [], 20 | "author": "", 21 | "license": "Apache-2.0", 22 | "dependencies": { 23 | "@actions/core": "1.11.1", 24 | "@actions/github": "6.0.0", 25 | "@sigstore/rekor-types": "2.0.0", 26 | "sigstore": "2.3.1", 27 | "tscommon": "file:../../../.github/actions/tscommon/tscommon-0.0.0.tgz" 28 | }, 29 | "devDependencies": { 30 | "@types/make-fetch-happen": "10.0.4", 31 | "@types/node": "20.17.19", 32 | "@typescript-eslint/eslint-plugin": "6.21.0", 33 | "@typescript-eslint/parser": "6.21.0", 34 | "@vercel/ncc": "0.38.3", 35 | "eslint": "8.57.1", 36 | "eslint-plugin-github": "4.10.2", 37 | "eslint-plugin-prettier": "5.2.3", 38 | "prettier": "3.5.1", 39 | "typescript": "5.7.3" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /actions/delegator/setup-generic/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ 4 | "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ 5 | "outDir": "./lib", /* Redirect output structure to the directory. */ 6 | "rootDir": "./src", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ 9 | "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ 10 | }, 11 | "exclude": ["node_modules", "**/*.test.ts"] 12 | } 13 | -------------------------------------------------------------------------------- /actions/gradle/publish/images/gradle-publisher-release-closed-repository.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/slsa-framework/slsa-github-generator/24e3463c4c5882ca81483811c54212c50464a629/actions/gradle/publish/images/gradle-publisher-release-closed-repository.png -------------------------------------------------------------------------------- /actions/gradle/publish/images/gradle-publisher-staging-repository.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/slsa-framework/slsa-github-generator/24e3463c4c5882ca81483811c54212c50464a629/actions/gradle/publish/images/gradle-publisher-staging-repository.png -------------------------------------------------------------------------------- /actions/gradle/secure-download-attestations/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure attestion download for maven builder" 16 | description: "Download the attestations-directory produced by the Maven builder and verify its SHA256" 17 | inputs: 18 | name: 19 | description: "Name of provenance directory. This is generated by the Maven builder." 20 | required: true 21 | path: 22 | description: "The path to download the attestations directory into. (Must be under the GITHUB_WORKSPACE)" 23 | required: true 24 | sha256: 25 | description: "SHA256 of the file for verification. This is generated by the Maven builder" 26 | required: true 27 | 28 | runs: 29 | using: "composite" 30 | steps: 31 | - name: Download the attestation directory 32 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main 33 | with: 34 | name: ${{ inputs.name }} 35 | path: ${{ inputs.path }} 36 | sha256: ${{ inputs.sha256 }} 37 | -------------------------------------------------------------------------------- /actions/gradle/secure-download-target/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure target directory download for maven builder" 16 | description: "Download the 'target'-directory and verify its SHA256" 17 | inputs: 18 | name: 19 | description: "Name of the target directory. The Maven builder makes this 'target'." 20 | required: true 21 | path: 22 | description: "The path to download the target directory into. (Must be under the GITHUB_WORKSPACE)" 23 | required: true 24 | sha256: 25 | description: "SHA256 of the file for verification." 26 | required: true 27 | 28 | runs: 29 | using: "composite" 30 | steps: 31 | - name: Download the target directory 32 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main 33 | with: 34 | name: ${{ inputs.name }} 35 | path: ${{ inputs.path }} 36 | sha256: ${{ inputs.sha256 }} 37 | -------------------------------------------------------------------------------- /actions/maven/secure-download-attestations/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure attestion download for maven builder" 16 | description: "Download the attestations-directory produced by the Maven builder and verify its SHA256" 17 | inputs: 18 | name: 19 | description: "Name of provenance directory. This is generated by the Maven builder." 20 | required: true 21 | path: 22 | description: "The path to download the attestations directory into. (Must be under the GITHUB_WORKSPACE)" 23 | required: true 24 | sha256: 25 | description: "SHA256 of the file for verification. This is generated by the Maven builder" 26 | required: true 27 | 28 | runs: 29 | using: "composite" 30 | steps: 31 | - name: Download the attestation directory 32 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main 33 | with: 34 | name: ${{ inputs.name }} 35 | path: ${{ inputs.path }} 36 | sha256: ${{ inputs.sha256 }} 37 | -------------------------------------------------------------------------------- /actions/maven/secure-download-target/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure target directory download for maven builder" 16 | description: "Download the 'target'-directory and verify its SHA256" 17 | inputs: 18 | name: 19 | description: "Name of the target directory. The Maven builder makes this 'target'." 20 | required: true 21 | path: 22 | description: "The path to download the target directory into. (Must be under the GITHUB_WORKSPACE)" 23 | required: true 24 | sha256: 25 | description: "SHA256 of the file for verification." 26 | required: true 27 | 28 | runs: 29 | using: "composite" 30 | steps: 31 | - name: Download the target directory 32 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main 33 | with: 34 | name: ${{ inputs.name }} 35 | path: ${{ inputs.path }} 36 | sha256: ${{ inputs.sha256 }} 37 | -------------------------------------------------------------------------------- /actions/nodejs/secure-attestations-download/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure attestations download for nodejs builder" 16 | description: "Download a set of attestations and verify their SHA256" 17 | inputs: 18 | name: 19 | description: "Artifact name. (Note: this is a name given to an upload, not the path or filename)." 20 | required: true 21 | path: 22 | description: "The path to download the attestations into. (Must be under the GITHUB_WORKSPACE)" 23 | required: false 24 | default: "." 25 | sha256: 26 | description: "SHA256 of the file for verification." 27 | required: true 28 | 29 | runs: 30 | using: "composite" 31 | steps: 32 | - name: Download the attestations 33 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main 34 | with: 35 | name: ${{ inputs.name }} 36 | path: ${{ inputs.path }} 37 | sha256: ${{ inputs.sha256 }} 38 | -------------------------------------------------------------------------------- /actions/nodejs/secure-package-download/README.md: -------------------------------------------------------------------------------- 1 | # secure-package-download 2 | 3 | the `actions/nodejs/secure-package-download` action provides a way to 4 | download the Node.js package tarball generated by the [Node.js 5 | builder](../../../internal/builders/nodejs/README.md). The package can then 6 | be used to publish the package or upload to a secondary storage. 7 | 8 | ## Example 9 | 10 | ```yaml 11 | jobs: 12 | build: 13 | permissions: 14 | id-token: write 15 | contents: read 16 | actions: read 17 | if: startsWith(github.ref, 'refs/tags/') 18 | uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v2.1.0 19 | with: 20 | run-scripts: "ci, build" 21 | 22 | download: 23 | needs: [build] 24 | runs-on: ubuntu-latest 25 | steps: 26 | - name: Download tarball 27 | uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-package-download@v2.1.0 28 | with: 29 | name: ${{ needs.build.outputs.package-download-name }} 30 | path: ${{ needs.build.outputs.package-name }} 31 | sha256: ${{ needs.build.outputs.package-download-sha256 }} 32 | ``` 33 | 34 | This will download the package tarball to `/`. 35 | 36 | See [Custom Publishing](../../../internal/builders/nodejs/README.md#custom-publishing) for 37 | a full example of publishing using a custom tool. 38 | 39 | ## Inputs 40 | 41 | | Name | Required | Default | Description | 42 | | -------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------- | 43 | | `name` | yes | | The GitHub Actions workflow run artifact name. Note that this is a name given to an upload, not the path or filename | 44 | | `path` | no | "." | The path to download the tarball into. Must be under the `GITHUB_WORKSPACE` | 45 | | `sha256` | yes | | The SHA256 of the artifact for verification | 46 | 47 | ## Outputs 48 | 49 | There are no outputs. 50 | -------------------------------------------------------------------------------- /actions/nodejs/secure-package-download/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: "Secure package download for nodejs builder" 16 | description: "Download a package tarball and verify its SHA256" 17 | inputs: 18 | name: 19 | description: "Artifact name. (Note: this is a name given to an upload, not the path or filename)." 20 | required: true 21 | path: 22 | description: "The path to download the package tgz into. (Must be under the GITHUB_WORKSPACE)" 23 | required: true 24 | sha256: 25 | description: "SHA256 of the file for verification." 26 | required: true 27 | 28 | runs: 29 | using: "composite" 30 | steps: 31 | - name: Download the package 32 | uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@main 33 | with: 34 | name: ${{ inputs.name }} 35 | path: ${{ inputs.path }} 36 | sha256: ${{ inputs.sha256 }} 37 | -------------------------------------------------------------------------------- /e2e/README.md: -------------------------------------------------------------------------------- 1 | # E2E Tests 2 | 3 | This folder contains test data for some end-to-end (E2E) tests. 4 | -------------------------------------------------------------------------------- /e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java: -------------------------------------------------------------------------------- 1 | package hello; 2 | 3 | public class Greeter { 4 | public String sayHello() { 5 | return "Hello world!"; 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java: -------------------------------------------------------------------------------- 1 | package hello; 2 | 3 | public class HelloWorld { 4 | public static void main(String[] args) { 5 | Greeter greeter = new Greeter(); 6 | System.out.println(greeter.sayHello()); 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /github/client.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package github 16 | 17 | import ( 18 | "context" 19 | 20 | "github.com/google/go-github/v57/github" 21 | "golang.org/x/oauth2" 22 | ) 23 | 24 | // NewGithubClient returns a new GitHub API client authenticated using the 25 | // token from the GitHub context. 26 | func NewGithubClient(ctx context.Context) (*github.Client, error) { 27 | t, err := GetToken() 28 | if err != nil { 29 | return nil, err 30 | } 31 | return github.NewClient(oauth2.NewClient(ctx, oauth2.StaticTokenSource( 32 | &oauth2.Token{AccessToken: t}, 33 | ))), nil 34 | } 35 | -------------------------------------------------------------------------------- /github/set_output.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package github 16 | 17 | import ( 18 | "fmt" 19 | "os" 20 | ) 21 | 22 | // SetOutput writes a name value pair to a file located at GITHUB_OUTPUT. 23 | func SetOutput(name, value string) error { 24 | if filename := os.Getenv("GITHUB_OUTPUT"); filename != "" { 25 | f, err := os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, 0o666) 26 | if err != nil { 27 | return err 28 | } 29 | defer f.Close() 30 | 31 | if _, err := f.WriteString(name + "=" + value + "\n"); err != nil { 32 | return err 33 | } 34 | } else { 35 | // TODO(asraa): When set-output is EOL, remove this fallback. 36 | fmt.Printf("::set-output name=%s=%s\n", name, value) 37 | } 38 | return nil 39 | } 40 | -------------------------------------------------------------------------------- /images/byob-design.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/slsa-framework/slsa-github-generator/24e3463c4c5882ca81483811c54212c50464a629/images/byob-design.png -------------------------------------------------------------------------------- /internal/builders/bazel/generate-layout.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | # Long directory name to avoid collisions with user's folder names 20 | binaries_dir="bazel_builder_binaries_to_upload_to_gh_7bc972367cb286b7f36ab4457f06e369" 21 | 22 | # "version" and "attestations" fields: 23 | echo -e -n "{\n \"version\": 1,\n \"attestations\": [" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 24 | 25 | num_binary_files=$(find ./${binaries_dir} -type f | wc -l) 26 | counter=1 27 | 28 | # Add one attestation per binary: 29 | find ./${binaries_dir} -type f -print0 | while read -r -d $'\0' fname; do 30 | bn=$(basename -- "$fname") 31 | hash=$(sha256sum "$fname" | awk '{print $1}') 32 | 33 | echo -n " 34 | { 35 | \"name\": \"${bn}\", 36 | \"subjects\": [ 37 | { \"name\": \"${bn}\", 38 | \"digest\": { \"sha256\": \"${hash}\" } 39 | } 40 | ] 41 | }" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 42 | 43 | # Add comma between attestations and not after the last 44 | if [[ "$counter" != "$num_binary_files" ]]; then 45 | echo -n "," >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 46 | fi 47 | 48 | counter="$((counter + 1))" 49 | done 50 | 51 | # Close "attestations" and "version": 52 | echo -e "\n ]" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 53 | echo "}" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 54 | cat "$SLSA_OUTPUTS_ARTIFACTS_FILE" 55 | -------------------------------------------------------------------------------- /internal/builders/common/buildtype.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package common 16 | 17 | import "github.com/slsa-framework/slsa-github-generator/slsa" 18 | 19 | // GenericBuild is a very generic build type where build type can be specified. 20 | type GenericBuild struct { 21 | *slsa.GithubActionsBuild 22 | BuildTypeURI string 23 | } 24 | 25 | // URI implements BuildType.URI. 26 | func (b *GenericBuild) URI() string { 27 | return b.BuildTypeURI 28 | } 29 | -------------------------------------------------------------------------------- /internal/builders/container/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "errors" 19 | "fmt" 20 | "os" 21 | 22 | // Enable the github OIDC auth provider. 23 | _ "github.com/sigstore/cosign/v2/pkg/providers/github" 24 | 25 | "github.com/spf13/cobra" 26 | ) 27 | 28 | // containerBuildType is the URI for generic container SLSA generation. 29 | var containerBuildType = "https://github.com/slsa-framework/slsa-github-generator/container@v1" 30 | 31 | func checkExit(err error) { 32 | if err != nil { 33 | fmt.Fprintln(os.Stderr, err) 34 | os.Exit(1) 35 | } 36 | } 37 | 38 | func rootCmd() *cobra.Command { 39 | c := &cobra.Command{ 40 | Use: "slsa-generator-container", 41 | Short: "Generate SLSA provenance for containers on Github Actions", 42 | Long: `Generate SLSA provenance for containers on Github Actions. 43 | For more information on SLSA, visit https://slsa.dev`, 44 | RunE: func(_ *cobra.Command, _ []string) error { 45 | return errors.New("expected command") 46 | }, 47 | } 48 | c.AddCommand(versionCmd()) 49 | c.AddCommand(generateCmd(nil, checkExit)) 50 | return c 51 | } 52 | 53 | func main() { 54 | checkExit(rootCmd().Execute()) 55 | } 56 | -------------------------------------------------------------------------------- /internal/builders/container/version.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "fmt" 19 | 20 | "github.com/spf13/cobra" 21 | 22 | "github.com/slsa-framework/slsa-github-generator/version" 23 | ) 24 | 25 | func versionCmd() *cobra.Command { 26 | return &cobra.Command{ 27 | Use: "version", 28 | Short: "Print the version and exit", 29 | Run: func(_ *cobra.Command, _ []string) { 30 | fmt.Println(version.Version) 31 | }, 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /internal/builders/docker/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "errors" 19 | "fmt" 20 | "os" 21 | 22 | "github.com/spf13/cobra" 23 | ) 24 | 25 | func checkExit(err error) { 26 | if err != nil { 27 | fmt.Fprintln(os.Stderr, err) 28 | os.Exit(1) 29 | } 30 | } 31 | 32 | func rootCmd() *cobra.Command { 33 | cmd := &cobra.Command{ 34 | Use: "slsa-docker-based-generator [COMMAND] [FLAGS]", 35 | Short: "Generate SLSA provenance for artifacts built using a docker builder image", 36 | Long: `Generate SLSA provenance for artifacts built using a docker builder image. 37 | For more information on SLSA, visit https://slsa.dev`, 38 | RunE: func(_ *cobra.Command, _ []string) error { 39 | return errors.New("expecting a command") 40 | }, 41 | } 42 | cmd.AddCommand(DryRunCmd(checkExit)) 43 | cmd.AddCommand(BuildCmd(checkExit)) 44 | cmd.AddCommand(VerifyCmd(checkExit)) 45 | return cmd 46 | } 47 | 48 | func main() { 49 | checkExit(rootCmd().Execute()) 50 | } 51 | -------------------------------------------------------------------------------- /internal/builders/docker/pkg/options.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package pkg 16 | 17 | import "github.com/spf13/cobra" 18 | 19 | // InputOptions are the common options for the dry run and build command. 20 | type InputOptions struct { 21 | BuildConfigPath string 22 | SourceRepo string 23 | GitCommitHash string 24 | BuilderImage string 25 | ForceCheckout bool 26 | Verbose bool 27 | } 28 | 29 | // AddFlags adds input flags to the given command. 30 | func (io *InputOptions) AddFlags(cmd *cobra.Command) { 31 | cmd.Flags().StringVarP(&io.BuildConfigPath, "build-config-path", "c", "", 32 | "Required - Path to a toml file containing the build configs.") 33 | 34 | cmd.Flags().StringVarP(&io.SourceRepo, "source-repo", "s", "", 35 | "Required - URL of the source repo.") 36 | 37 | cmd.Flags().StringVarP(&io.GitCommitHash, "git-commit-digest", "d", "", 38 | "Required - SHA1 Git commit digest of the revision of the source code to build the artefact from.") 39 | 40 | cmd.Flags().StringVarP(&io.BuilderImage, "builder-image", "i", "", 41 | "Required - URL indicating the Docker builder image, including a URI and image digest.") 42 | 43 | cmd.Flags().BoolVarP(&io.ForceCheckout, "force-checkout", "f", false, 44 | "Optional - Forces checking out the source code from the given Git repo.") 45 | 46 | cmd.Flags().BoolVarP(&io.Verbose, "verbose", "v", false, 47 | "Optional - Prints all logs and errors in console.") 48 | } 49 | -------------------------------------------------------------------------------- /internal/builders/docker/testdata/build-definition.json: -------------------------------------------------------------------------------- 1 | { 2 | "buildType": "https://slsa.dev/container-based-build/v0.1?draft", 3 | "externalParameters": { 4 | "source": { 5 | "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/heads/main", 6 | "digest": { 7 | "sha1": "cf5804b5c6f1a4b2a0b03401a487dfdfbe3a5f00" 8 | } 9 | }, 10 | "builderImage": { 11 | "uri": "bash@sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9", 12 | "digest": { 13 | "sha256": "9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9" 14 | } 15 | }, 16 | "buildConfig": { 17 | "artifactPath": "config.toml", 18 | "command": [ 19 | "cp", 20 | "internal/builders/docker/testdata/config.toml", 21 | "config.toml" 22 | ] 23 | }, 24 | "configPath": "internal/builders/docker/testdata/config.toml" 25 | }, 26 | "resolvedDependencies": [ 27 | { 28 | "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/heads/main", 29 | "digest": { 30 | "sha1": "cf5804b5c6f1a4b2a0b03401a487dfdfbe3a5f00" 31 | } 32 | } 33 | ] 34 | } -------------------------------------------------------------------------------- /internal/builders/docker/testdata/config.toml: -------------------------------------------------------------------------------- 1 | # Simple command for generating a file. 2 | command = ["cp", "internal/builders/docker/testdata/config.toml", "config.toml"] 3 | # Path to the file generated by the command above. 4 | artifact_path = "config.toml" 5 | -------------------------------------------------------------------------------- /internal/builders/docker/testdata/slsa1-provenance.json: -------------------------------------------------------------------------------- 1 | { 2 | "_type": "https://in-toto.io/Statement/v0.1", 3 | "predicateType": "https://slsa.dev/provenance/v1.0", 4 | "subject": [ 5 | { 6 | "name": "config.toml", 7 | "digest": { 8 | "sha256": "975a0582b8c9607f3f20a6b8cfef01b25823e68c5c3658e6e1ccaaced2a3255d" 9 | } 10 | } 11 | ], 12 | "predicate": { 13 | "buildDefinition": { 14 | "buildType": "https://slsa.dev/container-based-build/v0.1?draft", 15 | "externalParameters": { 16 | "source": { 17 | "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/heads/main", 18 | "digest": { 19 | "sha1": "cf5804b5c6f1a4b2a0b03401a487dfdfbe3a5f00" 20 | } 21 | }, 22 | "builderImage": { 23 | "uri": "bash@sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9", 24 | "digest": { 25 | "sha256": "9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9" 26 | } 27 | }, 28 | "configPath": "internal/builders/docker/testdata/config.toml", 29 | "buildConfig": { 30 | "ArtifactPath": "config.toml", 31 | "Command": [ 32 | "cp", 33 | "internal/builders/docker/testdata/config.toml", 34 | "config.toml" 35 | ] 36 | } 37 | }, 38 | "resolvedDependencies": [ 39 | { 40 | "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/heads/main", 41 | "digest": { 42 | "sha1": "cf5804b5c6f1a4b2a0b03401a487dfdfbe3a5f00" 43 | } 44 | } 45 | ] 46 | } 47 | } 48 | } -------------------------------------------------------------------------------- /internal/builders/docker/testdata/wildcard-config.toml: -------------------------------------------------------------------------------- 1 | # Simple command for generating a file. 2 | command = ["cp", "-r", "internal/builders/docker/testdata", "."] 3 | # Path to the file generated by the command above. 4 | artifact_path = "testdata/*.toml" 5 | -------------------------------------------------------------------------------- /internal/builders/generic/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "errors" 19 | 20 | // TODO: Allow use of other OIDC providers? 21 | // Enable the github OIDC auth provider. 22 | _ "github.com/sigstore/cosign/v2/pkg/providers/github" 23 | "github.com/slsa-framework/slsa-github-generator/signing/sigstore" 24 | 25 | "github.com/spf13/cobra" 26 | ) 27 | 28 | func rootCmd() *cobra.Command { 29 | c := &cobra.Command{ 30 | Use: "slsa-generator-generic", 31 | Short: "Generate SLSA provenance for Github Actions", 32 | Long: `Generate SLSA provenance for Github Actions. 33 | For more information on SLSA, visit https://slsa.dev`, 34 | RunE: func(_ *cobra.Command, _ []string) error { 35 | return errors.New("expected command") 36 | }, 37 | } 38 | c.AddCommand(versionCmd()) 39 | c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultBundleSigner())) 40 | return c 41 | } 42 | 43 | func main() { 44 | checkExit(rootCmd().Execute()) 45 | } 46 | -------------------------------------------------------------------------------- /internal/builders/generic/version.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "fmt" 19 | 20 | "github.com/spf13/cobra" 21 | 22 | "github.com/slsa-framework/slsa-github-generator/version" 23 | ) 24 | 25 | func versionCmd() *cobra.Command { 26 | return &cobra.Command{ 27 | Use: "version", 28 | Short: "Print the version and exit", 29 | Run: func(_ *cobra.Command, _ []string) { 30 | fmt.Println(version.Version) 31 | }, 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /internal/builders/go/e2e-presubmits/go.mod: -------------------------------------------------------------------------------- 1 | module slsa-framework/example-package 2 | 3 | go 1.23.1 4 | 5 | require github.com/pborman/uuid v1.2.1 6 | 7 | require github.com/google/uuid v1.0.0 // indirect 8 | -------------------------------------------------------------------------------- /internal/builders/go/e2e-presubmits/go.sum: -------------------------------------------------------------------------------- 1 | github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA= 2 | github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 3 | github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= 4 | github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= 5 | -------------------------------------------------------------------------------- /internal/builders/go/e2e-presubmits/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "fmt" 19 | "strings" 20 | 21 | "github.com/pborman/uuid" 22 | ) 23 | 24 | var ( 25 | gitVersion string 26 | gitCommit string 27 | gitBranch string 28 | ) 29 | 30 | func main() { 31 | uuidWithHyphen := uuid.NewRandom() 32 | uuid := strings.Replace(uuidWithHyphen.String(), "-", "", -1) 33 | 34 | fmt.Println("GitBranch:", gitBranch) 35 | fmt.Println("GitVersion:", gitVersion) 36 | fmt.Println("GitCommit:", gitCommit) 37 | fmt.Println("Hello world:", uuid) 38 | } 39 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/provenance_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package pkg 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/slsa-framework/slsa-github-generator/internal/testutil" 21 | "github.com/slsa-framework/slsa-github-generator/slsa" 22 | ) 23 | 24 | func TestGenerateProvenance(t *testing.T) { 25 | // Disable pre-submit detection. 26 | // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove 27 | t.Setenv("GITHUB_EVENT_NAME", "non_event") 28 | t.Setenv("GITHUB_CONTEXT", "{}") 29 | t.Setenv("VARS_CONTEXT", "{}") 30 | sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2" 31 | _, err := GenerateProvenance( 32 | "foo", sha256, "", "", "/home/foo", 33 | &testutil.TestSigner{}, 34 | &slsa.NilClientProvider{}, 35 | ) 36 | 37 | var want error 38 | got := err 39 | if want != got { 40 | t.Errorf("unexpected error, want: %v, got: %v", want, got) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/go/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/slsa-framework/slsa-github-generator/internal/builders/go/pkg/testdata/go 2 | 3 | go 1.23.1 4 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/go/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import "fmt" 18 | 19 | func main() { 20 | fmt.Println("Hello world!") 21 | } 22 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/release-invalid-dir.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | dir: /not/relative/ 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-invalid-envs.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE:on 18 | 19 | flags: 20 | - -trimpath 21 | - -tags=netgo 22 | 23 | goos: linux 24 | goarch: amd64 25 | binary: binary-{{ .OS }}-{{ .Arch }} 26 | ldflags: 27 | - "{{ .Env.VERSION_LDFLAGS }}" 28 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-invalid-main.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | main: /not/relative 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-invalid-version.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 0 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | # TODO: 26 | # mod_timestamp: '{{ .CommitTimestamp }}' 27 | goos: linux 28 | goarch: amd64 29 | binary: binary-{{ .OS }}-{{ .Arch }} 30 | ldflags: 31 | - "{{ .Env.VERSION_LDFLAGS }}" 32 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-noversion.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | env: 16 | - GO111MODULE=on 17 | # https://stackoverflow.com/a/62821358/19407 18 | - CGO_ENABLED=0 19 | 20 | flags: 21 | - -trimpath 22 | - -tags=netgo 23 | 24 | # TODO: 25 | # mod_timestamp: '{{ .CommitTimestamp }}' 26 | goos: linux 27 | goarch: amd64 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-valid-dir.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | dir: ./path/to/dir 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-valid-empty-main.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | main: 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-valid-envs-multiple-equal-signs.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | - CGO_CFLAGS=a=b=c 21 | 22 | flags: 23 | - -trimpath 24 | - -tags=netgo 25 | 26 | goos: linux 27 | goarch: amd64 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-valid-envs-no-value.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | - CGO_CFLAGS= 21 | 22 | flags: 23 | - -trimpath 24 | - -tags=netgo 25 | 26 | goos: linux 27 | goarch: amd64 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-valid-main.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | main: ./relative/main.go 28 | binary: binary-{{ .OS }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/pkg/testdata/releaser-valid-no-main.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | binary: binary-{{ .OS }}-{{ .Arch }} 28 | ldflags: 29 | - "{{ .Env.VERSION_LDFLAGS }}" 30 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/binary-linux-amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/slsa-framework/slsa-github-generator/24e3463c4c5882ca81483811c54212c50464a629/internal/builders/go/testdata/binary-linux-amd64 -------------------------------------------------------------------------------- /internal/builders/go/testdata/emptyldflags.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | binary: binary-{{ .Os }}-{{ .Arch }} 28 | ldflags: 29 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/invalid-main.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | main: ../path/to/main.go 26 | goos: linux 27 | goarch: amd64 28 | binary: binary-{{ .Os }}-{{ .Arch }} 29 | ldflags: 30 | - "something-{{ .Env.ELSE }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/one-ldflags.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | binary: binary-{{ .Os }}-{{ .Arch }} 28 | ldflags: 29 | - "something-{{ .Env.ELSE }}" 30 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/two-ldflags-emptyenv.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | 18 | flags: 19 | - -trimpath 20 | - -tags=netgo 21 | 22 | goos: linux 23 | goarch: amd64 24 | binary: binary-{{ .Os }}-{{ .Arch }} 25 | ldflags: 26 | - "{{ .Env.VERSION_LDFLAGS }}" 27 | - "something-{{ .Env.ELSE }}" 28 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/two-ldflags-emptyflags.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | 23 | goos: linux 24 | goarch: amd64 25 | binary: binary-{{ .Os }}-{{ .Arch }} 26 | ldflags: 27 | - "{{ .Env.VERSION_LDFLAGS }}" 28 | - "something-{{ .Env.ELSE }}" 29 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/two-ldflags-noenv.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | 17 | flags: 18 | - -trimpath 19 | - -tags=netgo 20 | 21 | goos: linux 22 | goarch: amd64 23 | binary: binary-{{ .Os }}-{{ .Arch }} 24 | ldflags: 25 | - "{{ .Env.VERSION_LDFLAGS }}" 26 | - "something-{{ .Env.ELSE }}" 27 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/two-ldflags-noflags.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | goos: linux 22 | goarch: amd64 23 | binary: binary-{{ .Os }}-{{ .Arch }} 24 | ldflags: 25 | - "{{ .Env.VERSION_LDFLAGS }}" 26 | - "something-{{ .Env.ELSE }}" 27 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/two-ldflags-noldflags.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | binary: binary-{{ .Os }}-{{ .Arch }} 28 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/two-ldflags.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | goos: linux 26 | goarch: amd64 27 | binary: binary-{{ .Os }}-{{ .Arch }} 28 | ldflags: 29 | - "{{ .Env.VERSION_LDFLAGS }}" 30 | - "something-{{ .Env.ELSE }}" 31 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/valid-main.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | main: ./path/to/main.go 26 | goos: linux 27 | goarch: amd64 28 | binary: binary-{{ .Os }}-{{ .Arch }} 29 | ldflags: 30 | - "{{ .Env.VERSION_LDFLAGS }}" 31 | - "something-{{ .Env.ELSE }}" 32 | -------------------------------------------------------------------------------- /internal/builders/go/testdata/valid-working-dir.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 SLSA Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | version: 1 16 | env: 17 | - GO111MODULE=on 18 | # https://stackoverflow.com/a/62821358/19407 19 | - CGO_ENABLED=0 20 | 21 | flags: 22 | - -trimpath 23 | - -tags=netgo 24 | 25 | main: main.go 26 | dir: ./valid/path/ 27 | goos: linux 28 | goarch: amd64 29 | binary: binary-{{ .Os }}-{{ .Arch }} 30 | ldflags: 31 | - "{{ .Env.VERSION_LDFLAGS }}" 32 | - "something-{{ .Env.ELSE }}" 33 | -------------------------------------------------------------------------------- /internal/builders/gradle/collect_release_artifacts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | mkdir release-files-for-slsa 20 | GRADLE_VERSION=$(./gradlew properties -q | grep "version:" | awk '{print $2}') 21 | 22 | # Move artifacts from the user-supplied artifact list 23 | IFS=',' read -ra artifact_array <<<"$UNTRUSTED_ARTIFACT_LIST" 24 | for i in "${artifact_array[@]}"; do 25 | i="${i#"${i%%[![:space:]]*}"}" # trim leading whitespace 26 | i="${i%"${i##*[![:space:]]}"}" # trim trailing whitespace 27 | # shellcheck disable=SC2001 28 | i=$(echo "$i" | sed 's/\"//') 29 | # Check if $i is empty 30 | if [ -z "$i" ]; then 31 | continue 32 | fi 33 | 34 | # Replace 'GRADLE_VERSION' with $GRADLE_VERSION 35 | path_with_version="${i//GRADLE_VERSION/"$GRADLE_VERSION"}" 36 | 37 | # Move the file 38 | bn=$(basename -- "$path_with_version") 39 | cp "$path_with_version" release-files-for-slsa/"$bn" 40 | done 41 | -------------------------------------------------------------------------------- /internal/builders/gradle/create_attestation.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | # 3 | # Copyright 2023 SLSA Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | SLSA_OUTPUTS_ARTIFACTS_FILE="${GITHUB_WORKSPACE}/${SLSA_OUTPUTS_ARTIFACTS_FILE}" 20 | 21 | # "version" and "attestations" fields: 22 | echo -e -n "{\n \"version\": 1,\n \"attestations\": [" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 23 | 24 | num_jar_files=$(find ./release-files-for-slsa -type f | wc -l) 25 | counter=1 26 | 27 | # Add one attestation per .jar file: 28 | find ./release-files-for-slsa -type f -print0 | while read -r -d $'\0' fname; do 29 | 30 | bn=$(basename -- "$fname") 31 | hash=$(sha256sum "$fname" | awk '{print $1}') 32 | 33 | echo -n " 34 | { 35 | \"name\": \"${bn}\", 36 | \"subjects\": [ 37 | { \"name\": \"${bn}\", 38 | \"digest\": { \"sha256\": \"${hash}\" } 39 | } 40 | ] 41 | }" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 42 | 43 | # Add comma between attestations and not after the last 44 | if [[ "$counter" != "$num_jar_files" ]]; then 45 | echo -n "," >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 46 | fi 47 | 48 | counter="$((counter + 1))" 49 | done 50 | 51 | # Close "attestations" and "version": 52 | echo -e "\n ]" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 53 | echo "}" >>"$SLSA_OUTPUTS_ARTIFACTS_FILE" 54 | cat "$SLSA_OUTPUTS_ARTIFACTS_FILE" 55 | -------------------------------------------------------------------------------- /internal/utils/marshal.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package utils 16 | 17 | import ( 18 | "encoding/base64" 19 | "encoding/json" 20 | "fmt" 21 | ) 22 | 23 | // UnmarshalList unmarshals a string into a list of strings. 24 | func UnmarshalList(arg string) ([]string, error) { 25 | var res []string 26 | // If argument is empty, return an empty list early, 27 | // because `json.Unmarshal` would fail. 28 | if arg == "" { 29 | return res, nil 30 | } 31 | 32 | cs, err := base64.StdEncoding.DecodeString(arg) 33 | if err != nil { 34 | return res, fmt.Errorf("base64.StdEncoding.DecodeString: %w", err) 35 | } 36 | 37 | if err := json.Unmarshal(cs, &res); err != nil { 38 | return []string{}, fmt.Errorf("json.Unmarshal: %w", err) 39 | } 40 | return res, nil 41 | } 42 | 43 | // MarshalToString marshals to a string. 44 | func MarshalToString(args interface{}) (string, error) { 45 | jsonData, err := json.Marshal(args) 46 | if err != nil { 47 | return "", fmt.Errorf("json.Marshal: %w", err) 48 | } 49 | 50 | encoded := base64.StdEncoding.EncodeToString(jsonData) 51 | if err != nil { 52 | return "", fmt.Errorf("base64.StdEncoding.EncodeString: %w", err) 53 | } 54 | return encoded, nil 55 | } 56 | 57 | // MarshalToBytes marshals to a byte array. 58 | func MarshalToBytes(args interface{}) ([]byte, error) { 59 | encoded, err := MarshalToString(args) 60 | if err != nil { 61 | return nil, err 62 | } 63 | return []byte(encoded), nil 64 | } 65 | -------------------------------------------------------------------------------- /internal/utils/presubmits.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package utils 16 | 17 | import "os" 18 | 19 | // IsPresubmitTests returns true if running in pre-submit tests. 20 | func IsPresubmitTests() bool { 21 | return (os.Getenv("GITHUB_EVENT_NAME") == "pull_request" && 22 | os.Getenv("GITHUB_REPOSITORY") == "slsa-framework/slsa-github-generator") 23 | } 24 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "scripts": { 3 | "format-yaml": "prettier --write '**/*.yml' '**/*.yaml'", 4 | "format-yaml-check": "prettier --check '**/*.yml' '**/*.yaml'", 5 | "markdownlint": "markdownlint --dot .", 6 | "markdownlint-fix": "markdownlint --dot --fix .", 7 | "markdown-toc": "markdown-toc --bullets='-' -i", 8 | "renovate-config-validator": "renovate-config-validator --strict" 9 | }, 10 | "devDependencies": { 11 | "@sigstore/cli": "0.8.1", 12 | "markdown-toc": "1.2.0", 13 | "markdownlint-cli": "0.44.0", 14 | "prettier": "3.5.1", 15 | "renovate": "39.174.3", 16 | "sigstore": "2.3.1" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | # Hashes retrieved using instructions here: 2 | # https://pip.pypa.io/en/stable/cli/pip_hash/#example 3 | yamllint==1.35.1 \ 4 | --hash=sha256:2e16e504bb129ff515b37823b472750b36b6de07963bd74b307341ef5ad8bdc3 \ 5 | --hash=sha256:7a003809f88324fd2c877734f2d575ee7881dd9043360657cc8049c809eba6cd 6 | # NOTE: pathspec is included because it is not pinned using '==' by yamllint. So 7 | # we need to include the exact version and hash here. 8 | pathspec==0.12.1 \ 9 | --hash=sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08 \ 10 | --hash=sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712 11 | -------------------------------------------------------------------------------- /signing/signer.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package signing 16 | 17 | import ( 18 | "context" 19 | 20 | intoto "github.com/in-toto/in-toto-golang/in_toto" 21 | ) 22 | 23 | // Attestation is a signed attestation. 24 | type Attestation interface { 25 | // Cert returns the certificate used to sign the attestation. 26 | Cert() []byte 27 | 28 | // Bytes returns the signed attestation as an encoded DSSE JSON envelope. 29 | Bytes() []byte 30 | } 31 | 32 | // Signer is used to sign provenance statements. 33 | type Signer interface { 34 | // Sign signs the given provenance statement and returns the signed 35 | // attestation. 36 | Sign(context.Context, *intoto.Statement) (Attestation, error) 37 | } 38 | 39 | // LogEntry represents a transparency log entry. 40 | type LogEntry interface { 41 | // ID returns the ID of the transparency log. 42 | ID() string 43 | 44 | // LogIndex return the index of the transparency log entry. 45 | LogIndex() int64 46 | 47 | // UUID return the uuid of the transparency log entry. 48 | UUID() string 49 | } 50 | 51 | // TransparencyLog allows interaction with a transparency log. 52 | type TransparencyLog interface { 53 | // Upload uploads the signed attestation to the transparency log. 54 | Upload(context.Context, Attestation) (LogEntry, error) 55 | } 56 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2016 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | ################################################################################ 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | filegroup( 20 | name = "licenses", 21 | srcs = glob(["*.txt"]), 22 | ) 23 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/apache-2.0.txt: -------------------------------------------------------------------------------- 1 | Copyright %YEAR% %COPYRIGHT_HOLDER% 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/bsd-2-clause.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) %YEAR%, %COPYRIGHT_HOLDER% 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 2. Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation 11 | and/or other materials provided with the distribution. 12 | 13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 14 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 15 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 16 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 17 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 18 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 19 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 20 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 22 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 | 24 | The views and conclusions contained in the software and documentation are those 25 | of the authors and should not be interpreted as representing official policies, 26 | either expressed or implied, of the FreeBSD Project. 27 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/bsd-3-clause.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) %YEAR%, %COPYRIGHT_HOLDER% 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | * Redistributions of source code must retain the above copyright 7 | notice, this list of conditions and the following disclaimer. 8 | * Redistributions in binary form must reproduce the above copyright 9 | notice, this list of conditions and the following disclaimer in the 10 | documentation and/or other materials provided with the distribution. 11 | * Neither the name of %COPYRIGHT_HOLDER% nor the 12 | names of its contributors may be used to endorse or promote products 13 | derived from this software without specific prior written permission. 14 | 15 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | DISCLAIMED. IN NO EVENT SHALL %COPYRIGHT_HOLDER% BE LIABLE FOR ANY 19 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 22 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/bsd-4-clause.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) %YEAR%, %COPYRIGHT_HOLDER% 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 1. Redistributions of source code must retain the above copyright 7 | notice, this list of conditions and the following disclaimer. 8 | 2. Redistributions in binary form must reproduce the above copyright 9 | notice, this list of conditions and the following disclaimer in the 10 | documentation and/or other materials provided with the distribution. 11 | 3. All advertising materials mentioning features or use of this software 12 | must display the following acknowledgement: 13 | This product includes software developed by %COPYRIGHT_HOLDER%. 14 | 4. Neither the name of the %COPYRIGHT_HOLDER% nor the 15 | names of its contributors may be used to endorse or promote products 16 | derived from this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY %COPYRIGHT_HOLDER% ''AS IS'' AND ANY 19 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL %COPYRIGHT_HOLDER% BE LIABLE FOR ANY 22 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/gpl-2.txt: -------------------------------------------------------------------------------- 1 | Copyright (C) %YEAR% %COPYRIGHT_HOLDER% 2 | 3 | This program is free software; you can redistribute it and/or modify 4 | it under the terms of the GNU General Public License as published by 5 | the Free Software Foundation; either version 2 of the License, or 6 | (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License along 14 | with this program; if not, write to the Free Software Foundation, Inc., 15 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 16 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/gpl-3.txt: -------------------------------------------------------------------------------- 1 | Copyright (C) %YEAR% %COPYRIGHT_HOLDER% 2 | 3 | This program is free software: you can redistribute it and/or modify 4 | it under the terms of the GNU General Public License as published by 5 | the Free Software Foundation, either version 3 of the License, or 6 | (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License 14 | along with this program. If not, see . 15 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/lgpl-2.1.txt: -------------------------------------------------------------------------------- 1 | Copyright (C) %YEAR% %COPYRIGHT_HOLDER% 2 | 3 | This library is free software; you can redistribute it and/or 4 | modify it under the terms of the GNU Lesser General Public 5 | License as published by the Free Software Foundation; either 6 | version 2.1 of the License, or (at your option) any later version. 7 | 8 | This library is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | Lesser General Public License for more details. 12 | 13 | You should have received a copy of the GNU Lesser General Public 14 | License along with this library; if not, write to the Free Software 15 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 16 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/mit.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) %YEAR% %COPYRIGHT_HOLDER% 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so, 8 | subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 15 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 16 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 17 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 18 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 19 | -------------------------------------------------------------------------------- /third_party/autogen/licenses/mpl-2.0.txt: -------------------------------------------------------------------------------- 1 | Copyright %YEAR% %COPYRIGHT_HOLDER% 2 | 3 | This Source Code Form is subject to the terms of the Mozilla Public 4 | License, v. 2.0. If a copy of the MPL was not distributed with this 5 | file, you can obtain one at http://mozilla.org/MPL/2.0/. 6 | -------------------------------------------------------------------------------- /version/version.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 SLSA Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // https://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package version 16 | 17 | // Version is the version of slsa-github-generator. 18 | // It is meant to be overwritten with 19 | // -ldflags="-X github.com/slsa-framework/slsa-github-generator/version.Version=X.Y". 20 | var Version = `unknown` 21 | --------------------------------------------------------------------------------