slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Get repository, ref via Github API

Open ianlewis opened this issue 3 years ago • 7 comments

Currently we have to have special case code to run e2e tests in pull requests due to #131. I'd like to get rid of that code so that pull requests run normally.

I want to see if I can't get the repository and ref via the Github API rather than by creating an OIDC token. Creating an OIDC token requires id-token scope which is not normally given to workflows triggered by the pull_request event.

This wouldn't allow us to sign using sigstore's Github provider, but it would at least solve the problem of getting the reusable workflow repo and ref.

ianlewis avatar May 30 '22 05:05 ianlewis

This was done and can be closed?

laurentsimon avatar Jun 28 '22 19:06 laurentsimon

No, this is just an idea I had that I wanted to get the repo and ref via the GitHub API instead of by using job_workflow_ref an OIDC token. I'm not sure it's really possible. It's more of a refactor than a feature and it's not really high priority.

ianlewis avatar Jun 29 '22 00:06 ianlewis

ho right, my bad.

laurentsimon avatar Jun 29 '22 00:06 laurentsimon

Update here: detect-workflow-js works this way so the remaining item here is to (after ensuring some stability in that new action) to deprecate detect-workflow and replace with detect-workflow-js

asraa avatar Mar 01 '23 19:03 asraa

The old detect-workflow action was removed in #1988 and detect-workflow-js does this already. Closing.

https://github.com/slsa-framework/slsa-github-generator/blob/f8e470688f4d6523b8afa65618cf5e8a1183fcf4/.github/actions/detect-workflow-js/src/main.ts#L42-L60

ianlewis avatar May 14 '24 09:05 ianlewis

This issue was reopened by the todo-issue-reopener action in the "TODO Issue Reopener" GitHub Actions workflow because there are TODOs referencing this issue:

  1. internal/builders/container/generate.go:55: Remove
  2. internal/builders/container/generate.go:63: Remove
  3. internal/builders/generic/attest.go:87: Remove
  4. internal/builders/generic/attest.go:95: Remove
  5. internal/builders/go/pkg/provenance.go:129: Remove
  6. internal/builders/go/pkg/provenance.go:139: Remove
  7. internal/builders/go/pkg/provenance_test.go:26: Remove

github-actions[bot] avatar May 18 '24 00:05 github-actions[bot]

So I think the issue is that this is fixed for detect-workflow-js but we only use that for our pre-BYOB builders/generators that were written in Go in order to detect which repo/ref to checkout in order to build the builder binary for pre-submits/e2e tests.

We still need to update the pre-BYOB builder code itself to clean up how we deal with pre-submits and e2e tests.

ianlewis avatar May 20 '24 02:05 ianlewis