feat: add gha provenance

docker-library · Sep 11, 2024 · 50e2707 · 50e2707
1 parent 3cec72f
commit 50e2707
Showing 1 changed file with 79 additions and 0 deletions.
diff --git a/provenance.jq b/provenance.jq
@@ -0,0 +1,79 @@
+# input: "build" object (with "buildId" top level key)
+# output: purl platform query string
+def platform_string:
+    .source.arches[].platformString | gsub("/"; "%2F")
+;
+
+# input: "build" object (with "buildId" top level key) with image digest argument
+# output: json object for in-toto provenance subject field
+def subjects($digest):
+  [
+    (
+      .source.arches[].tags[],
+      .source.arches[].archTags[],
+      .build.img
+    ) as $tag |
+    {
+        "name": ("pkg:docker/" + $tag + "?platform=" + platform_string),
+        "digest": {
+          "sha256": $digest
+        }
+    }
+  ]
+;
+
+# input: "build" object (with "buildId" top level key) with GITHUB context argument
+# output: json object for in-toto provenance external parameters field
+def githubExternalParameters($context):
+($context.workflow_ref | gsub( $context.repository + "/"; "")) as $workflowPathRef |
+{
+  inputs: $context.event.inputs,
+  workflow: {
+    ref: ($workflowPathRef | split("@")[1]),
+    repository: ($context.server_url + "/" + $context.repository),
+    path: ($workflowPathRef | split("@")[0]),
+    digest: {sha256: $context.workflow_sha}
+  }
+}
+;
+
+# input: "build" object (with "buildId" top level key) with GITHUB context argument
+# output: json object for in-toto provenance internal parameters field
+def githubInternalParameters($context):
+{
+  github: {
+    event_name: $context.event_name,
+    repository_id: $context.repository_id,
+    repository_owner_id: $context.repository_owner_id,
+  }
+}
+;
+
+# input: "build" object (with "buildId" top level key) with image digest and GITHUB context arguments
+# output: json object for in-toto provenance statement
+def github_actions_provenance($digest; $context):
+{
+  _type: "https://in-toto.io/Statement/v1",
+  subject: subjects($digest),
+  predicateType: "https://slsa.dev/provenance/v1",
+  predicate: {
+        buildDefinition: {
+            buildType: "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+            externalParameters: githubExternalParameters($context),
+            internalParameters: githubInternalParameters($context),
+            resolvedDependencies: [{
+                uri: ("git+"+$context.server_url+"/"+$context.repository+"@"+$context.ref),
+                digest: { "gitCommit": $context.sha }
+            }]
+        },
+        runDetails: {
+            builder: {
+                id: ($context.server_url+"/"+$context.workflow_ref),
+            },
+            metadata: {
+                invocationId: ($context.server_url+"/"+$context.repository+"/actions/runs/"+$context.run_id+"/attempts/"+$context.run_attempt),
+            }
+        }
+    }
+}
+;