Container build type

.github/workflows/configs-container/config-release.yml

@@ -0,0 +1,14 @@
+# Used for binary releases.
+version: 1
+env:
+  - GO111MODULE=on
+  - CGO_ENABLED=0
+
+flags:
+  - -trimpath
+  - -tags=netgo
+
+goos: linux
+goarch: amd64
+dir: internal/builders/container/
+binary: slsa-generator-container-{{ .Os }}-{{ .Arch }}

.github/workflows/configs-generic/config-release.yml

@@ -1,4 +1,4 @@
-# Used for pre-submit tests.
+# Used for binary releases.
 version: 1
 env:
   - GO111MODULE=on

.github/workflows/generator_container_slsa3.yml

@@ -16,8 +16,8 @@ name: SLSA container image provenance
 
 env:
   # Generator
-  BUILDER_BINARY: slsa-generator-generic-linux-amd64 # Name of the binary in the release assets.
-  BUILDER_DIR: internal/builders/generic # Source directory if we compile the builder.
+  BUILDER_BINARY: slsa-generator-container-linux-amd64 # Name of the binary in the release assets.
+  BUILDER_DIR: internal/builders/container # Source directory if we compile the builder.
 
 on:
   workflow_call:

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
     inputs:
       release-tag:
-        description: 'Release tag to test'
+        description: "Release tag to test"
         required: true
         type: string
   push:
@@ -39,6 +39,19 @@ jobs:
         if: github.ref_type == 'tag'
         run: ./__THIS_REPO__/.github/workflows/scripts/pre-release/references.sh
 
+  # Generic generator.
+  container-generator:
+    needs: [pre-release-refs]
+    permissions:
+      id-token: write # For signing.
+      contents: write # For asset uploads.
+      actions: read # For the entrypoint.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main
+    with:
+      go-version: 1.18
+      config-file: .github/workflows/configs-container/config-release.yml
+      compile-builder: true
+
   # Generic generator.
   generic-generator:
     needs: [pre-release-refs]

internal/builders/common/buildtype.go

@@ -0,0 +1,14 @@
+package common
+
+import "github.com/slsa-framework/slsa-github-generator/slsa"
+
+// GenericBuild is a very generic build type where build type can be specified.
+type GenericBuild struct {
+	*slsa.GithubActionsBuild
+	BuildTypeURI string
+}
+
+// URI implements BuildType.URI.
+func (b *GenericBuild) URI() string {
+	return b.BuildTypeURI
+}

internal/builders/container/README.md

@@ -220,10 +220,10 @@ Secrets:
 
 The project generates SLSA provenance with the following values.
 
-| Name                         | Value                                                                  | Description                                                                                                                                                                                                            |
-| ---------------------------- | ---------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `buildType`                  | `"https://github.com/slsa-framework/slsa-github-generator/generic@v1"` | Identifies a generic GitHub Actions build.                                                                                                                                                                             |
-| `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"`                                             | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |
+| Name                         | Value                                                                    | Description                                                                                                                                                                                                            |
+| ---------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `buildType`                  | `"https://github.com/slsa-framework/slsa-github-generator/container@v1"` | Identifies a the GitHub Actions build.                                                                                                                                                                                 |
+| `metadata.buildInvocationID` | `"[run_id]-[run_attempt]"`                                               | The GitHub Actions [`run_id`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context) does not update when a workflow is re-run. Run attempt is added to make the build invocation ID unique. |
 
 ### Provenance Example
 
@@ -246,7 +246,7 @@ generated as an [in-toto](https://in-toto.io/) statement with a SLSA predicate.
     "builder": {
       "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.1.1"
     },
-    "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",
+    "buildType": "https://github.com/slsa-framework/slsa-github-generator/container@v1",
     "invocation": {
       "configSource": {
         "uri": "git+https://github.com/ianlewis/actions-test@refs/heads/main.git",

internal/builders/generic/generate.go → internal/builders/container/generate.go

@@ -22,6 +22,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/slsa-framework/slsa-github-generator/github"
+	"github.com/slsa-framework/slsa-github-generator/internal/builders/common"
 	"github.com/slsa-framework/slsa-github-generator/internal/utils"
 	"github.com/slsa-framework/slsa-github-generator/slsa"
 )
@@ -42,10 +43,12 @@ that it is being run in the context of a Github Actions workflow.`,
 
 			ctx := context.Background()
 
-			b := provenanceOnlyBuild{
+			b := common.GenericBuild{
 				// NOTE: Subjects are nil because we are only writing the predicate.
 				GithubActionsBuild: slsa.NewGithubActionsBuild(nil, ghContext),
+				BuildTypeURI:       containerBuildType,
 			}
+
 			if provider != nil {
 				b.WithClients(provider)
 			} else {

internal/builders/generic/generate_test.go → internal/builders/container/generate_test.go

@@ -25,6 +25,14 @@ import (
 	"github.com/slsa-framework/slsa-github-generator/slsa"
 )
 
+func checkTest(t *testing.T) func(err error) {
+	return func(err error) {
+		if err != nil {
+			t.Fatalf("%v", err)
+		}
+	}
+}
+
 func Test_generateCmd_default_predicate(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
 

internal/builders/container/main.go

@@ -0,0 +1,55 @@
+// Copyright 2022 SLSA Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	// Enable the github OIDC auth provider.
+	_ "github.com/sigstore/cosign/pkg/providers/github"
+
+	"github.com/spf13/cobra"
+)
+
+// containerBuildType is the URI for generic container SLSA generation.
+var containerBuildType = "https://github.com/slsa-framework/slsa-github-generator/container@v1"
+
+func checkExit(err error) {
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+func rootCmd() *cobra.Command {
+	c := &cobra.Command{
+		Use:   "slsa-generator-container",
+		Short: "Generate SLSA provenance for containers on Github Actions",
+		Long: `Generate SLSA provenance for containers on Github Actions.
+For more information on SLSA, visit https://slsa.dev`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return errors.New("expected command")
+		},
+	}
+	c.AddCommand(versionCmd())
+	c.AddCommand(generateCmd(nil, checkExit))
+	return c
+}
+
+func main() {
+	checkExit(rootCmd().Execute())
+}

internal/builders/container/version.go

@@ -0,0 +1,33 @@
+// Copyright 2022 SLSA Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/slsa-framework/slsa-github-generator/version"
+)
+
+func versionCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "version",
+		Short: "Print the version and exit",
+		Run: func(cmd *cobra.Command, args []string) {
+			fmt.Println(version.Version)
+		},
+	}
+}

internal/builders/generic/attest.go

@@ -25,6 +25,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/slsa-framework/slsa-github-generator/github"
+	"github.com/slsa-framework/slsa-github-generator/internal/builders/common"
 	"github.com/slsa-framework/slsa-github-generator/internal/errors"
 	"github.com/slsa-framework/slsa-github-generator/internal/utils"
 	"github.com/slsa-framework/slsa-github-generator/signing"
@@ -71,8 +72,9 @@ run in the context of a Github Actions workflow.`,
 
 			ctx := context.Background()
 
-			b := provenanceOnlyBuild{
+			b := common.GenericBuild{
 				GithubActionsBuild: slsa.NewGithubActionsBuild(parsedSubjects, ghContext),
+				BuildTypeURI:       provenanceOnlyBuildType,
 			}
 			if provider != nil {
 				b.WithClients(provider)

internal/builders/generic/generic.go

@@ -27,7 +27,6 @@ import (
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	"github.com/slsa-framework/slsa-github-generator/internal/errors"
-	"github.com/slsa-framework/slsa-github-generator/slsa"
 )
 
 func checkExit(err error) {
@@ -132,12 +131,3 @@ func parseSubjects(b64str string) ([]intoto.Subject, error) {
 
 	return parsed, nil
 }
-
-type provenanceOnlyBuild struct {
-	*slsa.GithubActionsBuild
-}
-
-// URI implements BuildType.URI.
-func (b *provenanceOnlyBuild) URI() string {
-	return provenanceOnlyBuildType
-}

internal/builders/generic/main.go

@@ -27,7 +27,7 @@ import (
 
 func rootCmd() *cobra.Command {
 	c := &cobra.Command{
-		Use:   "slsa-github-generator",
+		Use:   "slsa-generator-generic",
 		Short: "Generate SLSA provenance for Github Actions",
 		Long: `Generate SLSA provenance for Github Actions.
 For more information on SLSA, visit https://slsa.dev`,
@@ -37,7 +37,6 @@ For more information on SLSA, visit https://slsa.dev`,
 	}
 	c.AddCommand(versionCmd())
 	c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultFulcio(), sigstore.NewDefaultRekor()))
-	c.AddCommand(generateCmd(nil, checkExit))
 	return c
 }