Feature: add builder info to provenance

[laurentsimon]

We should investigate capturing runner OS's information if available in /etc
Maybe also provide an SBOM of our builder, etc.

GitHub may also expose info. In the logs, for example, VM setup shows info like:

Current runner version: '2.288.1'
Environment: ubuntu-20.04
  Version: 20220227.1
  Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220227.1/images/linux/Ubuntu2004-Readme.md
  Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220227.1
Virtual Environment Provisioner
  1.0.0.0-main-20220307-1

[joshuagl]

As of slsa-framework/slsa-github-generator-go#16 we capture the runner's Image details (GitHub tag) in the materials.
@laurentsimon proposed (slsa-framework/slsa-github-generator-go#16 (comment)) that we improve this by including the SHA (as tags are not immutable).

[joshuagl]

Unfortunately the virtual-environment itself does not seem to include the SHA of the commit the tag references, but it's highly desirable to include this in order to list fully traceable information about the images in the provenance (tags can be replaced, after all).

One option is to query the ref the tag currently points to at provenance generation time with a programmatic equivalent to:

gh api -H "Accept: application/vnd.github.v3+json" /repos/actions/virtual-environments/git/matching-refs/tags/$ImageOS/$ImageVersion

However, what we really want is the SHA at the time the image was built. Unless anyone has any smarter ideas, I think I'll file a feature request against actions/virtual-environments to include the SHA commit hash matching the tag into the environment or the /imagegeneration/imagedata.json file.

[laurentsimon]

Unfortunately the virtual-environment itself does not seem to include the SHA of the commit the tag references, but it's highly desirable to include this in order to list fully traceable information about the images in the provenance (tags can be replaced, after all).

One option is to query the ref the tag currently points to at provenance generation time with a programmatic equivalent to:

gh api -H "Accept: application/vnd.github.v3+json" /repos/actions/virtual-environments/git/matching-refs/tags/$ImageOS/$ImageVersion

However, what we really want is the SHA at the time the image was built. Unless anyone has any smarter ideas, I think I'll file a feature request against actions/virtual-environments to include the SHA commit hash matching the tag into the environment or the /imagegeneration/imagedata.json file.

+1 on asking them to add it.

How about: gh api repos/$REPO/git/ref/tags/ubuntu20/20220425.1 | jq -r '.object.sha' ?

[joshuagl]

+1 on asking them to add it.

The actions/virtual-environments repository has fairly rigid issue templates so I started a discussion instead: actions/runner-images#5483

[laurentsimon]

I'm curious: are we certain that the virtual runner used in the provenance generation VM is the same as the one used by the actual build?

Similarly: If we want to report the compiler hash used during compilation, we may also need to validate they are the same in the build VM and the dry run VM. Or we move to container image, maybe something like https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-running-a-job-within-a-container?