From e6280d824e6022845d47ab794ad28444e27b9acd Mon Sep 17 00:00:00 2001
From: Marco Franssen <marco.franssen@philips.com>
Date: Thu, 10 Feb 2022 10:14:10 +0100
Subject: [PATCH] Install slsa-provenance instead of using docker image

This to resolve workflows that require docker login

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
---
 .gitignore                 |  1 +
 Makefile                   |  2 +-
 action.yaml                | 26 +++++++++++++--------
 install-slsa-provenance.sh | 47 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 66 insertions(+), 10 deletions(-)
 create mode 100755 install-slsa-provenance.sh

diff --git a/.gitignore b/.gitignore
index 4ce7da0e..2d6d08e4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ coverage.out
 .DS_Store
 .env
 cosign.key
+.slsa-provenance
diff --git a/Makefile b/Makefile
index a30700d7..965eb4f1 100644
--- a/Makefile
+++ b/Makefile
@@ -117,7 +117,7 @@ gh-release: ## Creates a new release by creating a new tag and pushing it
 	@:$(call check_defined, DESCRIPTION)
 	@git stash -u
 	@echo Bumping $(OLD_VERSION) to $(NEW_VERSION)…
-	@$(SED) -i 's/$(OLD_VERSION)/$(NEW_VERSION)/g' .github/workflows/*.yaml *.yaml *.md
+	@$(SED) -i 's/$(OLD_VERSION)/$(NEW_VERSION)/g' .github/workflows/*.yaml *.yaml *.md *.sh
 	@git add .
 	@git commit -s -m "Bump $(OLD_VERSION) to $(NEW_VERSION) for release"
 	@git tag -sam "$(DESCRIPTION)" $(NEW_VERSION)
diff --git a/action.yaml b/action.yaml
index 377415f1..857a9d48 100644
--- a/action.yaml
+++ b/action.yaml
@@ -23,15 +23,25 @@ inputs:
   arguments:
     description: 'commandline options for the given subcommand'
     required: true
+  install-dir:
+    description: 'Where to install the slsa-provenance binary'
+    required: false
+    default: '$HOME/.slsa-provenance'
 runs:
   using: 'composite'
   steps:
+    - name: install binary
+      shell: bash
+      run: $GITHUB_ACTION_PATH/install-slsa-provenance.sh
+      env:
+        INSTALL_PATH: ${{ inputs.install-dir }}
+
     - name: compose arguments
       id: compose-args
       shell: bash
       run: |
-        encoded_github="$( echo ${GITHUB_CONTEXT} | base64 -w 0)"
-        encoded_runner="$( echo ${RUNNER_CONTEXT} | base64 -w 0)"
+        encoded_github="$(echo ${GITHUB_CONTEXT} | base64 -w 0)"
+        encoded_runner="$(echo ${RUNNER_CONTEXT} | base64 -w 0)"
 
         args=(${{ inputs.command }})
         args+=(${{ inputs.subcommand }})
@@ -45,11 +55,9 @@ runs:
       env:
         GITHUB_CONTEXT: ${{ inputs.github_context }}
         RUNNER_CONTEXT: ${{ inputs.runner_context }}
-    - name: Debug arguments
+
+    - name: Generate provenance
       shell: bash
-      run: |
-        echo Running slsa-provenance with following arguments
-        echo ${{ steps.compose-args.outputs.provenance_args }}
-    - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.6.0'
-      with:
-        args: ${{ steps.compose-args.outputs.provenance_args }}
+      run: $INSTALL_PATH/bin/slsa-provenance ${{ steps.compose-args.outputs.provenance_args }}
+      env:
+        INSTALL_PATH: ${{ inputs.install-dir }}
diff --git a/install-slsa-provenance.sh b/install-slsa-provenance.sh
new file mode 100755
index 00000000..44a97a2d
--- /dev/null
+++ b/install-slsa-provenance.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+VERSION=v0.6.0
+RELEASE="https://github.com/philips-labs/slsa-provenance-action/releases/download/${VERSION}"
+OS=${RUNNER_OS:-linux}
+ARCH=${RUNNER_ARCH:-amd64}
+INSTALL_PATH="$(realpath "${INSTALL_PATH:-./.slsa-provenance}")"
+
+echo "Installing slsa-provenance at ${INSTALL_PATH}/bin"
+
+if [ "${OS}" == "Windows" ] ; then
+  OS=windows
+elif [ "${OS}" == "Linux" ] ; then
+  OS=linux
+fi
+
+if [ "${ARCH}" == "x64" ] ; then
+  ARCH=amd64
+fi
+
+mkdir -p "$INSTALL_PATH/bin"
+pushd "$INSTALL_PATH" > /dev/null || exit
+
+echo "Downloading slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz"
+curl -sLo slsa-provenance.tar.gz "$RELEASE/slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz"
+
+if [ -x "$(command -v cosign)" ] ; then
+  echo "Downloading slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz.sig"
+  curl -sLo slsa-provenance.tar.gz.sig "$RELEASE/slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz.sig"
+  echo "Downloading cosign.pub"
+  curl -sLo cosign.pub "$RELEASE/cosign.pub"
+
+  cosign verify-blob --key cosign.pub --signature slsa-provenance.tar.gz.sig slsa-provenance.tar.gz
+else
+  echo >&2
+  echo "  cosign binary not installed in PATH. Unable to verify signature" >&2
+  echo >&2
+fi
+
+tar -xzf slsa-provenance.tar.gz
+mv "$INSTALL_PATH/slsa-provenance" "$INSTALL_PATH/bin"
+
+# for testing purposes fall back to "$INSTALL_PATH/GITHUB_PATH"
+echo "$INSTALL_PATH/bin" >> "${GITHUB_PATH:-"$INSTALL_PATH/GITHUB_PATH"}"
+
+popd > /dev/null || exit
+