From 11c49b5a58c7cc8d23a131608e5a3592339494d3 Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Mon, 9 Sep 2024 15:59:39 -0500
Subject: [PATCH] feat: add gha provenance

---
 provenance.jq | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 provenance.jq

diff --git a/provenance.jq b/provenance.jq
new file mode 100644
index 0000000..79b713f
--- /dev/null
+++ b/provenance.jq
@@ -0,0 +1,78 @@
+def tags:
+  .source.arches[].tags[],
+  .source.arches[].archTags[],
+  .build.img
+;
+
+# input: "build" object (with "buildId" top level key)
+# output: purl platform query string
+def platform_string:
+  .source.arches[].platformString | gsub("/"; "%2F")
+;
+
+# input: "build" object (with "buildId" top level key) with image digest argument
+# output: json object for in-toto provenance subject field
+def subjects($platform; $digest):
+  {
+      "name": ("pkg:docker/" + . + "?platform=" + $platform),
+      "digest": {
+        "sha256": $digest
+      }
+  }
+;
+
+# input: "build" object (with "buildId" top level key) with GITHUB context argument
+# output: json object for in-toto provenance external parameters field
+def github_external_parameters($context):
+($context.workflow_ref | gsub( $context.repository + "/"; "")) as $workflowPathRef |
+{
+  inputs: $context.event.inputs,
+  workflow: {
+    ref: ($workflowPathRef | split("@")[1]),
+    repository: ($context.server_url + "/" + $context.repository),
+    path: ($workflowPathRef | split("@")[0]),
+    digest: {sha256: $context.workflow_sha}
+  }
+}
+;
+
+# input: "build" object (with "buildId" top level key) with GITHUB context argument
+# output: json object for in-toto provenance internal parameters field
+def github_internal_parameters($context):
+{
+  github: {
+    event_name: $context.event_name,
+    repository_id: $context.repository_id,
+    repository_owner_id: $context.repository_owner_id,
+  }
+}
+;
+
+# input: "build" object (with "buildId" top level key) with image digest and GITHUB context arguments
+# output: json object for in-toto provenance statement
+def github_actions_provenance($platform; $digest; $context):
+{
+  _type: "https://in-toto.io/Statement/v1",
+  subject: . | map(subjects($platform; $digest)),
+  predicateType: "https://slsa.dev/provenance/v1",
+  predicate: {
+        buildDefinition: {
+            buildType: "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+            externalParameters: github_external_parameters($context),
+            internalParameters: github_internal_parameters($context),
+            resolvedDependencies: [{
+                uri: ("git+"+$context.server_url+"/"+$context.repository+"@"+$context.ref),
+                digest: { "gitCommit": $context.sha }
+            }]
+        },
+        runDetails: {
+            builder: {
+                id: ($context.server_url+"/"+$context.workflow_ref),
+            },
+            metadata: {
+                invocationId: ($context.server_url+"/"+$context.repository+"/actions/runs/"+$context.run_id+"/attempts/"+$context.run_attempt),
+            }
+        }
+    }
+}
+;