Skip to content

Commit

Permalink
feat: Add directory input to Maven builder (#2538)
Browse files Browse the repository at this point in the history
Adds another `input` for the Maven builder to allow the user to specify
the project directory. The current problem this solves is to make
slsa-framework/example-package#253 work.

This was suggested by @laurentsimon in
slsa-framework/example-package#253 (comment)

---------

Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
  • Loading branch information
AdamKorcz and laurentsimon authored Aug 15, 2023
1 parent 54473c2 commit 324ff12
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/builder_maven_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ on:
required: false
default: 17
type: number
directory:
description: "Sub-directory to launch the build from. Must be under the workspace. Relative from the root of the file directory when invoking the builder."
required: false
type: string
default: "."

outputs:
provenance-name:
Expand Down
29 changes: 29 additions & 0 deletions internal/builders/maven/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,12 +68,41 @@ runs:
shell: bash
env:
SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
UNTRUSTED_PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
run: |
# Ensure no directory traversal.
# NOTE: the actions/download-artifact Action only creates files
# in the workspace directory, but this may change in the future.
# TODO(#1893): Consolidate directory traversal checks
validate_path() {
untrusted_path=$1
resolved_dir=$(readlink -m "$untrusted_path")
wd=$(readlink -m "${GITHUB_WORKSPACE}")
if [[ "${resolved_dir}" != "${wd}"/* ]] && [[ "${resolved_dir}" != "${wd}" ]]; then
if [[ "${RUNNER_TEMP}" != "" ]] && [[ "${resolved_dir}" != "${RUNNER_TEMP}"/* ]] && [[ "${resolved_dir}" != "${RUNNER_TEMP}" ]]; then
if [[ "${resolved_dir}" != /tmp/* ]] && [[ "${resolved_dir}" != "/tmp" ]]; then
echo "Path is not in the workspace or temp directory: $untrusted_path"
exit 1
fi
fi
fi
}
validate_path "${UNTRUSTED_PROJECT_ROOT}"
# remove trailing "/"'s with `realpath`
project_root=$(realpath "${UNTRUSTED_PROJECT_ROOT}")
mv ./__BUILDER_CHECKOUT_DIR__ ../__BUILDER_CHECKOUT_DIR__ \
&& cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin \
&& mvn clean install \
&& cd - \
&& cd "${project_root}" \
&& mvn package -Drun.hash.jarfile=true
# NOTE: SLSA_OUTPUTS_ARTIFACTS_FILE is a relative path and the project_root may
# not be in GITHUB_WORKSPACE, so we need to move the file.
mv $(dirname "${SLSA_OUTPUTS_ARTIFACTS_FILE}") "${GITHUB_WORKSPACE}/../"
mv target "${GITHUB_WORKSPACE}/"
- name: Upload target
id: upload-target
uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main
Expand Down

0 comments on commit 324ff12

Please sign in to comment.