Skip to content

Commit

Permalink
refactor to support secure upload
Browse files Browse the repository at this point in the history
Signed-off-by: Noah Elzner <[email protected]>
  • Loading branch information
enteraga6 committed Jul 18, 2023
1 parent ebebace commit bf082d4
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 12 deletions.
2 changes: 1 addition & 1 deletion internal/builders/bazel/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ runs:
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
name: "${{ steps.rng.outputs.random }}-binaries"
path: "/tmp/bazel_builder_binaries_to_upload" # path-to-artifact(s)
path: "./bazel_builder_binaries_to_upload_to_gh" # path-to-artifact(s)

- name: Echo statement
id: confirm
Expand Down
18 changes: 9 additions & 9 deletions internal/builders/bazel/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
set -euo pipefail

# TODO(Issue #2331): switch copy to binaries to a temp dir
mkdir /tmp/bazel_builder_binaries_to_upload
mkdir bazel_builder_binaries_to_upload_to_gh

# Transfer flags and targets to their respective arrays
IFS=' ' read -r -a build_flags <<< "${FLAGS}"
Expand Down Expand Up @@ -97,14 +97,14 @@ for curr_target in "${!targets_set[@]}"; do
run_script_name=$(echo "$binary_name" | awk -F'_deploy.jar' '{print $1}')

# Create dir for artifact and its runfiles
mkdir "/tmp/bazel_builder_binaries_to_upload/$run_script_name"
mkdir "./bazel_builder_binaries_to_upload_to_gh/$run_script_name"

# Get the absolute path to output of Java JAR artifact.
bazel_generated=$(bazel cquery --output=starlark --starlark:expr="'\n'.join([f.path for f in target.files.to_list()])" "$curr_target" 2>/dev/null)

# Copy JAR to artifact-specific dir in ./binaries and remove symbolic links.
file="$bazel_generated"
cp -Lr "$file" "/tmp/bazel_builder_binaries_to_upload/$run_script_name"
cp -Lr "$file" "./bazel_builder_binaries_to_upload_to_gh/$run_script_name"

# Get the path the to run-script associated with the {$curr_target}_deploy.jar
# If the user inputted the path to their local JAVABIN insert that into the run-script to define it.
Expand All @@ -121,7 +121,7 @@ for curr_target in "${!targets_set[@]}"; do
awk -v n=127 -v s='' 'NR == n {print s} {print}' "$run_script_path" > temp_file && mv -f temp_file "$run_script_path"
awk -v n=128 -v s='if [[ -n $USER_JAVA_BIN ]]; then JAVABIN=$USER_JAVA_BIN; fi' 'NR == n {print s} {print}' "$run_script_path" > temp_file && mv -f temp_file "$run_script_path"

cp -L "$run_script_path" "/tmp/bazel_builder_binaries_to_upload/$run_script_name"
cp -L "$run_script_path" "./bazel_builder_binaries_to_upload_to_gh/$run_script_name"

################################################
# #
Expand All @@ -143,20 +143,20 @@ for curr_target in "${!targets_set[@]}"; do
bazel_generated=$(bazel cquery --output=starlark --starlark:expr="'\n'.join([f.path for f in target.files.to_list()])" "$curr_target" 2>/dev/null)

# Create dir for artifact and its runfiles
mkdir "/tmp/bazel_builder_binaries_to_upload/$binary_name"
mkdir "./bazel_builder_binaries_to_upload_to_gh/$binary_name"

# Uses a Starlark expression to pass new line seperated list of file(s) into the set of files
while read -r path_to_artifact; do

# Copy generated artifact from absolute path from bazel cquery
cp -L "$path_to_artifact" "/tmp/bazel_builder_binaries_to_upload/$binary_name"
cp -L "$path_to_artifact" "./bazel_builder_binaries_to_upload_to_gh/$binary_name"

# if runfiles dir exists, copy runfiles into artifact's dir
if [[ -d "${path_to_artifact}.runfiles" ]]
then
path_to_target_runfiles="${path_to_artifact}.runfiles"
cp -Lr "$path_to_target_runfiles" "/tmp/bazel_builder_binaries_to_upload/$binary_name"
cd "/tmp/bazel_builder_binaries_to_upload/$binary_name/$binary_name.runfiles/"
cp -Lr "$path_to_target_runfiles" "./bazel_builder_binaries_to_upload_to_gh/$binary_name"
cd "./bazel_builder_binaries_to_upload_to_gh/$binary_name/$binary_name.runfiles/"

# Unneeded and can contain unwanted symbolic links
rm -rf _main/external
Expand All @@ -179,7 +179,7 @@ for curr_target in "${!targets_set[@]}"; do

# Uses a Starlark expression to pass new line seperated list of file(s) into the set of files
while read -r file; do
cp -L "$file" /tmp/bazel_builder_binaries_to_upload
cp -L "$file" ./bazel_builder_binaries_to_upload_to_gh
done <<< "$bazel_generated"
fi
fi
Expand Down
4 changes: 2 additions & 2 deletions internal/builders/bazel/generate-layout.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@ set -euo pipefail
# "version" and "attestations" fields:
echo -e -n "{\n \"version\": 1,\n \"attestations\": [" >> "$SLSA_OUTPUTS_ARTIFACTS_FILE"

num_binary_files=$(find /tmp/bazel_builder_binaries_to_upload/ -type f | wc -l)
num_binary_files=$(find ./bazel_builder_binaries_to_upload_to_gh -type f | wc -l)
counter=1

# Add one attestation per binary:
find /tmp/bazel_builder_binaries_to_upload/ -type f -print0 | while read -r -d $'\0' fname
find ./bazel_builder_binaries_to_upload_to_gh -type f -print0 | while read -r -d $'\0' fname
do
bn=$(basename -- "$fname")
hash=$(sha256sum "$fname" | awk '{print $1}')
Expand Down

0 comments on commit bf082d4

Please sign in to comment.