Problem
When creating multiple subjects in multiple steps in a workflow, all predicates are the same.
Basically the Provenance states: We ran workflow w and it produced subject x with digest y on timestamp z. There is no information on which step and what arguments are used.
Example provenance (from the related issue)
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "index.docker.io/philipssoftware/blackduck",
"digest": {
"sha256": "e4b7db02469ea627818cfd8bcd0cff1c377e64189ef670184e56d0685096374f"
}
}
],
"predicate": {
"builder": {
"id": "https://github.com/philips-software/docker-blackduck/Attestations/GitHubHostedActions@v1"
},
"buildType": "https://github.com/Attestations/GitHubActionsWorkflow@v1",
"invocation": {
"configSource": {
"uri": "git+https://github.com/philips-software/docker-blackduck",
"digest": {
"sha1": "64a263c8bb206b256e0507f1998d81e7f647f8fc"
},
"entryPoint": "build"
}
},
"metadata": {
"buildInvocationID": "https://github.com/philips-software/docker-blackduck/actions/runs/1752676715",
"buildFinishedOn": "2022-01-26T19:39:00Z",
"completeness": {
"parameters": true,
"environment": false,
"materials": false
},
"reproducible": false
},
"materials": [
{
"uri": "git+https://github.com/philips-software/docker-blackduck",
"digest": {
"sha1": "64a263c8bb206b256e0507f1998d81e7f647f8fc"
}
}
]
}
}The invocation node shows which repository with given sha1 and the entryPoint. The entrypoint relates back to the name of the workflow, not the step.
In the metadata we see the buildInvocationID and the buildFinishedOn fields. This is not enough to know what was used to build it. We also need to known what github-action-name is invoked and what arguments were passed.
Possible solution
In the SLSA-provenance v0.2 spec we see an example for "GitHub Actions Workflow".
They are using the entrypoint like we are doing. (they added filename in front of the workflow name). The parameters node is used for workflow_dispatch parameters.
The environment part is to provide context how to reproduce it.. I think we need to add the step / github-action-name and arguments there.
Related issue
See also: philips-software/docker-ci-scripts#97
Problem
When creating multiple subjects in multiple steps in a workflow, all predicates are the same.
Basically the Provenance states: We ran workflow w and it produced subject x with digest y on timestamp z. There is no information on which step and what arguments are used.
Example provenance (from the related issue)
{ "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { "name": "index.docker.io/philipssoftware/blackduck", "digest": { "sha256": "e4b7db02469ea627818cfd8bcd0cff1c377e64189ef670184e56d0685096374f" } } ], "predicate": { "builder": { "id": "https://github.com/philips-software/docker-blackduck/Attestations/GitHubHostedActions@v1" }, "buildType": "https://github.com/Attestations/GitHubActionsWorkflow@v1", "invocation": { "configSource": { "uri": "git+https://github.com/philips-software/docker-blackduck", "digest": { "sha1": "64a263c8bb206b256e0507f1998d81e7f647f8fc" }, "entryPoint": "build" } }, "metadata": { "buildInvocationID": "https://github.com/philips-software/docker-blackduck/actions/runs/1752676715", "buildFinishedOn": "2022-01-26T19:39:00Z", "completeness": { "parameters": true, "environment": false, "materials": false }, "reproducible": false }, "materials": [ { "uri": "git+https://github.com/philips-software/docker-blackduck", "digest": { "sha1": "64a263c8bb206b256e0507f1998d81e7f647f8fc" } } ] } }The
invocationnode shows whichrepositorywith givensha1and theentryPoint. The entrypoint relates back to the name of the workflow, not the step.In the
metadatawe see thebuildInvocationIDand thebuildFinishedOnfields. This is not enough to know what was used to build it. We also need to known whatgithub-action-nameis invoked and whatargumentswere passed.Possible solution
In the SLSA-provenance v0.2 spec we see an example for "GitHub Actions Workflow".
They are using the
entrypointlike we are doing. (they added filename in front of the workflow name). Theparametersnode is used forworkflow_dispatchparameters.The
environmentpart is to provide context how to reproduce it.. I think we need to add thestep/github-action-nameandargumentsthere.Related issue
See also: philips-software/docker-ci-scripts#97