Change SRP Provenance to use version 3.0

Signed-off-by: Joe Eltgroth <jeltgroth@vmware.com>

.github/actions/srp-helper/install/action.yml

@@ -9,5 +9,5 @@ runs:
     - id: install
       run: ${{ github.action_path }}/install.sh
       env:
-        SRP_CLIENT_URL: ${{ inputs.client-url }}
+        SRP_TOOLS_URL: ${{ inputs.srp_tools_url }}
       shell: bash

.github/actions/srp-helper/install/install.sh

@@ -6,16 +6,12 @@ set -euo pipefail
 
 echo "Installing SRP CLI"
 
-mkdir -p "$HOME/bin"
-echo "$HOME/bin" >> "$GITHUB_PATH"
+mkdir -p "$HOME/srp-tools"
+echo "$HOME/srp-tools" >> "$GITHUB_PATH"
+echo "$HOME/srp-tools/observer/bin" >> "$GITHUB_PATH"
 
-curl \
-  --show-error \
-  --silent \
-  --location \
-  --output "$HOME/bin/srp" \
-  "$SRP_CLIENT_URL"
+SRP_CLI_VERSION='0.9.9-20230724044630-61ef470-169'
+curl -L "${SRP_TOOLS_URL}/${SRP_CLI_VERSION}/srp-tools-linux-amd64-${SRP_CLI_VERSION}.tar.gz" | tar -xz -C "$HOME/srp-tools"
 
-chmod 755 "$HOME/bin/srp"
-
-"$HOME/bin/srp" --version
+"$HOME/srp-tools/srp" --version
+"$HOME/srp-tools/observer/bin/observer_agent" --version

.github/actions/srp-helper/publish-container/action.yml

@@ -0,0 +1,42 @@
+# Copyright 2021-2022 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: 'SRP Helper Start Action'
+description: 'Start the SRP observer, build and publish the container, stop the SRP observations'
+inputs:
+  client-id:
+    description: 'Client ID associated with your CSP org'
+    required: true
+  client-secret:
+    description: 'Client Secret associated with your CSP org'
+    required: true
+  build-type:
+    description: 'Name of the built type to be stored in source provenance'
+    default: release
+    required: true
+  scm-type:
+    description: 'SCM type of the processed repos'
+    default: git
+    required: true
+  buildpack:
+    description: 'Language of buildpack'
+    required: true
+
+#outputs:
+#  provenance-file:
+#    description: "SRP Provenance file"
+#    value: ${{ steps.publish-container.outputs.provenance-file }}
+
+runs:
+  using: "composite"
+  steps:
+    - id: publish
+      env:
+        CLIENT_ID: ${{ inputs.client-id }}
+        CLIENT_SECRET: ${{ inputs.client-secret }}
+        BUILD_TYPE: ${{ inputs.build-type }}
+        SCM_TYPE: ${{ inputs.scm-type }}
+        BUILDPACK: ${{ inputs.buildpack }}
+        VES_DOCKER: /usr/bin/docker
+      run: ${{ github.action_path }}/publish.sh
+      shell: bash

.github/actions/srp-helper/publish-container/publish.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# Copyright 2021-2022 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+
+set -euo pipefail
+
+trap 'catch' ERR
+catch() {
+  echo "An error has occurred removing SRP data"
+  rm -rf ./tmp/srp
+}
+
+echo "SRP: Collect source provenance."
+
+mkdir -p /tmp/srp
+srp config auth --client-id "$CLIENT_ID" --client-secret "$CLIENT_SECRET"
+srp provenance init
+
+GITHUB_FQDN=$(echo "${GITHUB_SERVER_URL}" | sed -e "s/^https:\/\///")
+srp provenance add-build github --action ${GITHUB_ACTION} --build-id ${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT} --instance ${GITHUB_FQDN} --namespace ${GITHUB_REPOSITORY} --ref ${GITHUB_REF}
+srp provenance declare-source git --verbose --set-key=function-buildpack-source --path .
+srp provenance action start --name=publish
+
+srp provenance action import-cmd --cmd "make base_url=$url registry.location=other REGISTRY=$registry $target"
+observer_agent -m start_observer -e "${SRP_WORKING_DIR}"/required-envs.sh -S
+source "${SRP_WORKING_DIR}"/required-envs.sh set
+
+echo "VES_DOCKER set to $VES_DOCKER"
+
+make base_url=$url registry.location=other REGISTRY=$registry $target
+
+source "${SRP_WORKING_DIR}"/required-envs.sh unset
+rm "${SRP_WORKING_DIR}/required-envs.sh"
+observer_agent -m stop_observer -f network_provenance.json
+
+key="${registry}/${buildpack}-buildpack:${version}"
+echo "key set to ${key}"
+action="publish"
+image="${registry}/${buildpack}-buildpack:${version}"
+srp provenance add-output docker \
+    	--set-key="${key}" \
+    	--action-key="${action}" \
+    	--name="${image%%@*}" \
+    	--location="${image%%@*}" \
+    	--digest="${image##*@}"
+
+srp provenance action import-observation --name="publish" --file=network_provenance.json
+srp provenance action stop
+
+cat "${SRP_WORKING_DIR}"/_provenance.json
+
+#echo "::set-output name=provenance-file::${SRP_WORKING_DIR}/_provenance.json"

.github/actions/srp-helper/submit/action.yml

@@ -4,6 +4,12 @@
 name: 'SRP Helper Submit'
 description: 'Helper action to submit data for VMware SRP CLI'
 inputs:
+  client-id:
+    description: 'Client ID associated with your CSP org'
+    required: true
+  client-secret:
+    description: 'Client Secret associated with your CSP org'
+    required: true
   source-provenance-path:
     description: 'Location of the source provenance file'
     required: false
@@ -20,6 +26,8 @@ runs:
     - id: submit
       run: ${{ github.action_path }}/submit.sh
       env:
+        SRP_CLIENT_ID: ${{ inputs.client-id }}
+        SRP_CLIENT_SECRET: ${{ inputs.client-secret }}
         SOURCE_PROVENANCE_PATH: ${{ inputs.source-provenance-path }}
         NETWORK_PROVENANCE_PATH: ${{ inputs.network-provenance-path }}
         SRP_URL: ${{ inputs.srp-url }}

.github/actions/srp-helper/submit/submit.sh

@@ -4,70 +4,6 @@
 
 set -euo pipefail
 
-trap 'catch' ERR
-catch() {
-  echo "An error has occurred removing SRP data"
-  rm -rf ./srp_data
-}
+srp provenance compile --saveto "${SRP_WORKING_DIR}"/prov3_fragment.json
 
-echo "Runway SRP: Submit provenance."
-
-SRP_UID="$(<./srp_data/srp_uid)"
-FULL_SRP_UID="uid.mtd.provenance_2_5.fragment(obj_uid=$SRP_UID,revision='')"
-echo "Full SRP UID that will be used for upload: $FULL_SRP_UID"
-
-if [ -z "$SOURCE_PROVENANCE_PATH" ] && [ -f "$SOURCE_PROVENANCE_PATH" ]; then
-    cp "$SOURCE_PROVENANCE_PATH" "./srp_data/source_provenance.json"
-fi
-
-if [ -z "$NETWORK_PROVENANCE_PATH" ] && [ -f "$NETWORK_PROVENANCE_PATH" ]; then
-    cp "$NETWORK_PROVENANCE_PATH" "./srp_data/network_provenance.json"
-fi
-
-if [ -f "./srp_data/network_provenance.json" ]; then
-    echo "Found network provenance: ./srp_data/network_provenance.json"
-    echo "Merging network provenance and source provenance:"
-    srp provenance merge \
-        --source ./srp_data/source_provenance.json \
-        --network ./srp_data/network_provenance.json \
-        --saveto ./srp_data/finalized_source_provenance.json \
-        --config ./srp_data/config.yml
-else
-    echo "No network provenance found"
-    cp ./srp_data/source_provenance.json ./srp_data/finalized_source_provenance.json
-fi
-
-# TODO: move --url to the init phase, once the SRP CLI supports it
-#   There is an open issue to allow it to be set through config.yml, which would 
-#   remove the need to set it on every invocation.
-echo "Finalized source provenance location: ./srp_data/finalized_source_provenance.json"
-echo "Submitting source provenance via SRP CLI:"
-if [ -z "$SRP_URL" ]; then
-    srp metadata submit \
-        --path ./srp_data/finalized_source_provenance.json \
-        --uid "$FULL_SRP_UID" \
-        --config ./srp_data/config.yml
-else
-    srp metadata submit \
-        --path ./srp_data/finalized_source_provenance.json \
-        --uid "$FULL_SRP_UID" \
-        --url "$SRP_URL" \
-        --config ./srp_data/config.yml
-fi
-
-echo "Downloading source provenance via SRP CLI:"
-if [ -z "$SRP_URL" ]; then
-    srp metadata get \
-        --uid "$FULL_SRP_UID" \
-        --config ./srp_data/config.yml \
-        --pretty
-else
-    srp metadata get \
-        --uid "$FULL_SRP_UID" \
-        --config ./srp_data/config.yml \
-        --url "$SRP_URL" \
-        --pretty
-fi
-
-echo "Done. Removing SRP data."
-rm -rf ./srp_data
+srp provenance submit --verbose --path "${SRP_WORKING_DIR}"/prov3_fragment.json