Add a GitHub Action for installing slsa-verifier.

[kpk47]

This is a rewrite of #233 in Typescript.

@asraa @ianlewis @laurentsimon

[laurentsimon]

looks good. Left a few comment. I think this is the "allow installation of any version". Heard back from Ian whether he's OK with using the @v1.2.3 opption instead?

[kpk47]

@laurentsimon I spoke with Ian about pinning by release tags, and he's fine with it. Unfortunately, I've written a bunch of versions of this action and decided that I like the version with a version input and an explicit LATEST_VERSION in the javascript. Here's my reasoning. LMK if you disagree.

Pros

• Users can still pin to a release tag if they want. The version input is optional, and pinning to a release tag will install whichever version was latest at the time of release (i.e. @1.2.3 will install v1.2.3).
• If we have an explicit LATEST_VERSION in the code, users can pin to a commit hash. GH's documentation on using public actions recommends pinning to a commit SHA rather than a release version or main, so I think it's important we support that use case.
• It's easier to write the action if it takes the version as input. action_path and action_ref are not part of the subset of the GH context that's available to Javascript actions, so getting the version that way requires an ugly hack with a second (composite) action. I wrote that version and discarded it because my intuition is that it would be brittle.
• It's easier to test the action if it takes the version as an input since we can use a matrix to cover all supported release versions. We cannot parse the version from a local action (it's always main at whatever commit you have checked out), so we'd need to use a second repo for running tests. I don't think it's worth the hassle.
• After looking through the GHA Marketplace, I realized that it would be very unusual if we only allowed choosing the installed version by pinning the action to a release tag. Every other *-setup action I found either supported taking the version as an input or only supported installing the latest release. I think that being unusual in this way would be helpful for adoption.

Cons

• We have to keep the LATEST_VERSION constant up to date, which most likely means adding an extra step to our release process.

[laurentsimon]

@laurentsimon I spoke with Ian about pinning by release tags, and he's fine with it. Unfortunately, I've written a bunch of versions of this action and decided that I like the version with a version input and an explicit LATEST_VERSION in the javascript. Here's my reasoning. LMK if you disagree.

Pros

• Users can still pin to a release tag if they want. The version input is optional, and pinning to a release tag will install whichever version was latest at the time of release (i.e. @1.2.3 will install v1.2.3).
• If we have an explicit LATEST_VERSION in the code, users can pin to a commit hash. GH's documentation on using public actions recommends pinning to a commit SHA rather than a release version or main, so I think it's important we support that use case.

We can support this pinning by hash by getting the hash from the GITHUB_ACTION_PATH env variable, iterating over releases and finding the one that corresponds to the hash. Note that it would be fine to have a first version that only supports tag pins. Not a problem.

• It's easier to write the action if it takes the version as input. action_path and action_ref are not part of the subset of the GH context that's available to Javascript actions, so getting the version that way requires an ugly hack with a second (composite) action. I wrote that version and discarded it because my intuition is that it would be brittle.

action_path is accessible thru GITHUB_ACTION_PATH env variable, and it contains the ref, which is either a tag or as hash.

• It's easier to test the action if it takes the version as an input since we can use a matrix to cover all supported release versions. We cannot parse the version from a local action (it's always main at whatever commit you have checked out), so we'd need to use a second repo for running tests. I don't think it's worth the hassle.

We can use an API to list the version, and dynamically generate the matrix, as in https://michaelheap.com/dynamic-matrix-generation-github-actions/.

• After looking through the GHA Marketplace, I realized that it would be very unusual if we only allowed choosing the installed version by pinning the action to a release tag. Every other *-setup action I found either supported taking the version as an input or only supported installing the latest release. I think that being unusual in this way would be helpful for adoption.

That's the main argument against.

Cons

• We have to keep the LATEST_VERSION constant up to date, which most likely means adding an extra step to our release process.

Let's enjoy the week-end. I know re-writing so many times is frustrating. Let's sync next week.
Thanks again for the hard work you've put into this. Maybe we've been a bit unlucky with the choice of the first PR :/

[laurentsimon]

Thanks!
Just added a nit to rename files for pre-submit, and we're good to merge

[ianlewis]

Looks good!

[laurentsimon]

I thought we'd use the GITHUB_ACTION_PATH to determine the version to download?

[kpk47]

@laurentsimon GITHUB_ACTION_PATH is only available to composite actions (https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables).

[laurentsimon]

@laurentsimon GITHUB_ACTION_PATH is only available to composite actions (https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables).

ouch, all these strange corner cases. Good find!
One hack is to declare a composite action and have a single step that calls node code.js. Does this work?

Note: GH are working on better APIs for Actions / re-usable workflows to determine their identity / ref, so later we should be able to use it.

[kpk47]

Okay, I think I've address all of your comments. PTAL and then I think we're ready to merge.

[laurentsimon]

Please re-base

[laurentsimon]

Let's remove this. We don't want to encourage this

[kpk47]

Done

[laurentsimon]

This is really nice!

[kpk47]

Thanks! I copied it from you (slsa-framework/slsa-github-generator#86). 😅

[laurentsimon]

forgot to remove the test in the main action?

[kpk47]

Done.

[ianlewis]

LGTM, pending doc changes that @laurentsimon commented on, and merging the conflicting pre-submit.yml changes.

[kpk47]

I think I've fixed the merge conflicts, but I can't get GitHub to recognize it. I dropped the changes in pre-submit.yml in favor of a straight rename, so I'm not sure what else I can do.

[laurentsimon]

yeah things get weird when re-basing and files that are deleted have some updates. Have you tried git rm the pre-submit.yml to see if it helps?

[kpk47]

Okay, I think I got it. For posterity, the fix was re-adding pre-submit.yml, merging in changes from main, removing pre-submit.cli.yml, and then re-doing the name change from pre-submit.yml to pre-submit.cli.yml.

[laurentsimon]

I think think this file exists anymore, does it? Let's remove this line. You can send a PR to add an example to this README later, including a link to it from the main README.