Skip to content
This repository has been archived by the owner on Oct 25, 2023. It is now read-only.

Commit

Permalink
Change SRP Provenance to use version 3.0
Browse files Browse the repository at this point in the history 
Signed-off-by: Joe Eltgroth <jeltgroth@vmware.com>
  • Loading branch information
@joeeltgroth
joeeltgroth committed Aug 16, 2023
1 parent 212dba6 commit 347c17e
Show file tree
Hide file tree
Showing 12 changed files with 102 additions and 276 deletions.
27 changes: 0 additions & 27 deletions .github/actions/srp-helper/collect/action.yml
View file

This file was deleted.

49 changes: 0 additions & 49 deletions .github/actions/srp-helper/collect/collect.sh
View file

This file was deleted.

31 changes: 0 additions & 31 deletions .github/actions/srp-helper/init/action.yml
View file

This file was deleted.

34 changes: 0 additions & 34 deletions .github/actions/srp-helper/init/init.sh
View file

This file was deleted.

2 changes: 1 addition & 1 deletion .github/actions/srp-helper/install/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ runs:
- id: install
run: ${{ github.action_path }}/install.sh
env:
SRP_CLIENT_URL: ${{ inputs.client-url }}
SRP_TOOLS_URL: ${{ inputs.srp_tools_url }}
shell: bash
18 changes: 7 additions & 11 deletions .github/actions/srp-helper/install/install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,12 @@ set -euo pipefail

echo "Installing SRP CLI"

mkdir -p "$HOME/bin"
echo "$HOME/bin" >> "$GITHUB_PATH"
mkdir -p "$HOME/srp-tools"
echo "$HOME/srp-tools" >> "$GITHUB_PATH"
echo "$HOME/srp-tools/observer/bin" >> "$GITHUB_PATH"

curl \
--show-error \
--silent \
--location \
--output "$HOME/bin/srp" \
"$SRP_CLIENT_URL"
SRP_CLI_VERSION='0.9.9-20230724044630-61ef470-169'
curl -L "${SRP_TOOLS_URL}/${SRP_CLI_VERSION}/srp-tools-linux-amd64-${SRP_CLI_VERSION}.tar.gz" | tar -xz -C "$HOME/srp-tools"

chmod 755 "$HOME/bin/srp"

"$HOME/bin/srp" --version
"$HOME/srp-tools/srp" --version
"$HOME/srp-tools/observer/bin/observer_agent" --version
27 changes: 27 additions & 0 deletions .github/actions/srp-helper/publish-container/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Copyright 2021-2022 VMware, Inc.
# SPDX-License-Identifier: BSD-2-Clause

name: 'SRP Helper Start Action'
description: 'Start the SRP observer, build and publish the container, stop the SRP observations'
inputs:
client-id:
description: 'Client ID associated with your CSP org'
required: true
client-secret:
description: 'Client Secret associated with your CSP org'
required: true
buildpack:
description: 'Language of buildpack'
required: true

runs:
using: "composite"
steps:
- id: publish
env:
CLIENT_ID: ${{ inputs.client-id }}
CLIENT_SECRET: ${{ inputs.client-secret }}
BUILDPACK: ${{ inputs.buildpack }}
VES_DOCKER: /usr/bin/docker
run: ${{ github.action_path }}/publish.sh
shell: bash
45 changes: 45 additions & 0 deletions .github/actions/srp-helper/publish-container/publish.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
#!/bin/bash
# Copyright 2021-2022 VMware, Inc.
# SPDX-License-Identifier: BSD-2-Clause

set -euo pipefail

echo "SRP: Collect source provenance."

mkdir -p ${SRP_WORKING_DIR}
srp config auth --client-id "$CLIENT_ID" --client-secret "$CLIENT_SECRET"
srp provenance init

GITHUB_FQDN=$(echo "${GITHUB_SERVER_URL}" | sed -e "s/^https:\/\///")
srp provenance add-build github --action ${GITHUB_ACTION} --build-id ${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT} --instance ${GITHUB_FQDN} --namespace ${GITHUB_REPOSITORY} --ref ${GITHUB_REF}
srp provenance declare-source git --verbose --set-key=function-buildpack-source --path .
srp provenance action start --name=publish

srp provenance action import-cmd --cmd "make base_url=$url registry.location=other REGISTRY=$registry $target"
observer_agent -m start_observer -e "${SRP_WORKING_DIR}"/required-envs.sh -S
source "${SRP_WORKING_DIR}"/required-envs.sh set

make base_url=$url registry.location=other REGISTRY=$registry $target

source "${SRP_WORKING_DIR}"/required-envs.sh unset
rm "${SRP_WORKING_DIR}/required-envs.sh"
observer_agent -m stop_observer -f network_provenance.json

key="${registry}/${BUILDPACK}-buildpack:${version}"
echo "key set to ${key}"
action="publish"
image=$(docker inspect "${key}" | jq -r '.[0].RepoDigests[0]')
srp provenance add-output docker \
--set-key="${key}" \
--action-key="${action}" \
--name="${image%%@*}" \
--location="${image%%@*}" \
--digest="${image##*@}"

srp provenance add-input syft --scan-target="${key}" --output-key="${key}"

srp provenance action import-observation --name="publish" --file=network_provenance.json
srp provenance action stop

echo "------------- Completed ${SRP_WORKING_DIR}/_provenance.json -------------"
cat "${SRP_WORKING_DIR}"/_provenance.json
15 changes: 0 additions & 15 deletions .github/actions/srp-helper/submit/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,9 @@

name: 'SRP Helper Submit'
description: 'Helper action to submit data for VMware SRP CLI'
inputs:
source-provenance-path:
description: 'Location of the source provenance file'
required: false
network-provenance-path:
description: 'Location of the network provenance file'
required: false
srp-url:
description: 'SRP service URL, if set to empty it will use the default internal URL. Defaults to the external service URL.'
default: 'https://apigw.vmware.com/v1/s1/api/helix-beta'
required: true
runs:
using: "composite"
steps:
- id: submit
run: ${{ github.action_path }}/submit.sh
env:
SOURCE_PROVENANCE_PATH: ${{ inputs.source-provenance-path }}
NETWORK_PROVENANCE_PATH: ${{ inputs.network-provenance-path }}
SRP_URL: ${{ inputs.srp-url }}
shell: bash
68 changes: 2 additions & 66 deletions .github/actions/srp-helper/submit/submit.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,70 +4,6 @@

set -euo pipefail

trap 'catch' ERR
catch() {
echo "An error has occurred removing SRP data"
rm -rf ./srp_data
}
srp provenance compile --saveto "${SRP_WORKING_DIR}"/prov3_fragment.json

echo "Runway SRP: Submit provenance."

SRP_UID="$(<./srp_data/srp_uid)"
FULL_SRP_UID="uid.mtd.provenance_2_5.fragment(obj_uid=$SRP_UID,revision='')"
echo "Full SRP UID that will be used for upload: $FULL_SRP_UID"

if [ -z "$SOURCE_PROVENANCE_PATH" ] && [ -f "$SOURCE_PROVENANCE_PATH" ]; then
cp "$SOURCE_PROVENANCE_PATH" "./srp_data/source_provenance.json"
fi

if [ -z "$NETWORK_PROVENANCE_PATH" ] && [ -f "$NETWORK_PROVENANCE_PATH" ]; then
cp "$NETWORK_PROVENANCE_PATH" "./srp_data/network_provenance.json"
fi

if [ -f "./srp_data/network_provenance.json" ]; then
echo "Found network provenance: ./srp_data/network_provenance.json"
echo "Merging network provenance and source provenance:"
srp provenance merge \
--source ./srp_data/source_provenance.json \
--network ./srp_data/network_provenance.json \
--saveto ./srp_data/finalized_source_provenance.json \
--config ./srp_data/config.yml
else
echo "No network provenance found"
cp ./srp_data/source_provenance.json ./srp_data/finalized_source_provenance.json
fi

# TODO: move --url to the init phase, once the SRP CLI supports it
# There is an open issue to allow it to be set through config.yml, which would
# remove the need to set it on every invocation.
echo "Finalized source provenance location: ./srp_data/finalized_source_provenance.json"
echo "Submitting source provenance via SRP CLI:"
if [ -z "$SRP_URL" ]; then
srp metadata submit \
--path ./srp_data/finalized_source_provenance.json \
--uid "$FULL_SRP_UID" \
--config ./srp_data/config.yml
else
srp metadata submit \
--path ./srp_data/finalized_source_provenance.json \
--uid "$FULL_SRP_UID" \
--url "$SRP_URL" \
--config ./srp_data/config.yml
fi

echo "Downloading source provenance via SRP CLI:"
if [ -z "$SRP_URL" ]; then
srp metadata get \
--uid "$FULL_SRP_UID" \
--config ./srp_data/config.yml \
--pretty
else
srp metadata get \
--uid "$FULL_SRP_UID" \
--config ./srp_data/config.yml \
--url "$SRP_URL" \
--pretty
fi

echo "Done. Removing SRP data."
rm -rf ./srp_data
srp provenance submit --verbose --path "${SRP_WORKING_DIR}"/prov3_fragment.json
22 changes: 20 additions & 2 deletions .github/workflows/create-buildpack-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ env:
REGISTRY: ghcr.io
CONTAINER_PATH: ${{ github.repository }}
DEPENDENCY_BASE_URL: https://github.com/${{ github.repository }}
SRP_WORKING_DIR: /tmp/srp

on:
workflow_dispatch:
Expand Down Expand Up @@ -47,6 +48,8 @@ jobs:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
env:
VES_DOCKER: /usr/bin/docker
- id: version
uses: ./.github/actions/semver-bump
with:
Expand All @@ -64,13 +67,26 @@ jobs:
target: buildpacks.${{ github.event.inputs.buildpack }}.tests
run: |
make $target
- name: Check SRP Creds
uses: ./.github/actions/srp-helper/check-srp-creds
with:
client-id: ${{ secrets.SRP_CLIENT_ID }}
client-secret: ${{ secrets.SRP_CLIENT_SECRET }}
- name: Install SRP
uses: ./.github/actions/srp-helper/install
with:
srp_tools_url: ${{ secrets.SRP_TOOLS_URL }}
- name: Publish Container
with:
client-id: ${{ secrets.SRP_CLIENT_ID }}
client-secret: ${{ secrets.SRP_CLIENT_SECRET }}
buildpack: ${{ github.event.inputs.buildpack }}
env:
url: ${{ env.DEPENDENCY_BASE_URL }}
registry: "${{ env.REGISTRY }}/${{ env.CONTAINER_PATH }}"
target: "buildpacks.${{ github.event.inputs.buildpack }}.images.publish"
run: |
make base_url=$url registry.location=other REGISTRY=$registry $target
version: "${{ steps.version.outputs.version }}"
uses: ./.github/actions/srp-helper/publish-container
- name: Prepare Commit
env:
target: buildpacks.${{ github.event.inputs.buildpack }}.commit.prep
Expand Down Expand Up @@ -132,3 +148,5 @@ jobs:
${{ steps.artifacts.outputs.offline_image_file }}
${{ steps.artifacts.outputs.offline_image_sha_file }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Submit SRP
uses: ./.github/actions/srp-helper/submit
Loading

0 comments on commit 347c17e

Please sign in to comment.