Remove PWD from provenance env (#825)

* Remove PWD from provenance env

Signed-off-by: Ian Lewis <[email protected]>

* fix non-zero length allocation

Signed-off-by: Ian Lewis <[email protected]>

* Fix pre-submits

Signed-off-by: Ian Lewis <[email protected]>

Signed-off-by: Ian Lewis <[email protected]>

.github/workflows/scripts/pre-submit.e2e.go.default.sh

@@ -42,7 +42,7 @@ e2e_verify_predicate_buildConfig_step_env "0" "$ATTESTATION" "[]"
 e2e_verify_predicate_buildConfig_step_workingDir "0" "$ATTESTATION" "$PWD/internal/builders/go/e2e-presubmits"
 
 # Second step is the actual compilation.
-e2e_verify_predicate_buildConfig_step_env "1" "$ATTESTATION" "[\"GOOS=linux\",\"GOARCH=amd64\",\"GO111MODULE=on\",\"CGO_ENABLED=0\", \"PWD=$PWD/internal/builders/go/e2e-presubmits\"]"
+e2e_verify_predicate_buildConfig_step_env "1" "$ATTESTATION" "[\"GOOS=linux\",\"GOARCH=amd64\",\"GO111MODULE=on\",\"CGO_ENABLED=0\"]"
 e2e_verify_predicate_buildConfig_step_workingDir "1" "$ATTESTATION" "$PWD/internal/builders/go/e2e-presubmits"
 
 if [[ -n "$LDFLAGS" ]]; then

internal/builders/go/main_test.go

@@ -45,11 +45,6 @@ func checkWorkingDir(t *testing.T, wd, expected string) {
 func Test_runBuild(t *testing.T) {
 	t.Parallel()
 
-	pwd, err := os.Getwd()
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
 	tests := []struct {
 		subject    string
 		name       string
@@ -77,7 +72,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -95,7 +89,6 @@ func Test_runBuild(t *testing.T) {
 			envs: []string{
 				"GOOS=linux",
 				"GOARCH=amd64",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -113,7 +106,6 @@ func Test_runBuild(t *testing.T) {
 			envs: []string{
 				"GOOS=linux",
 				"GOARCH=amd64",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -131,7 +123,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -149,7 +140,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -169,7 +159,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -188,7 +177,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -207,7 +195,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -228,7 +215,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + pwd,
 			},
 		},
 		{
@@ -249,7 +235,6 @@ func Test_runBuild(t *testing.T) {
 				"GOARCH=amd64",
 				"GO111MODULE=on",
 				"CGO_ENABLED=0",
-				"PWD=" + filepath.Join(pwd, "./valid/path/"),
 			},
 			workingDir: "./valid/path/",
 		},

internal/runner/runner.go

@@ -103,20 +103,22 @@ func (r *CommandRunner) runStep(ctx context.Context, step *CommandStep, dry bool
 	args := step.Command[1:]
 
 	// Copy and merge the environment.
-	env := make([]string, len(r.Env), len(r.Env)+len(step.Env)+1)
+	env := make([]string, len(r.Env), len(r.Env)+len(step.Env))
 	copy(env, r.Env)
 	env = append(env, step.Env...)
 
 	// Set the POSIX PWD env var.
+	posixEnv := make([]string, len(env), len(env)+1)
+	copy(posixEnv, env)
 	pwd, err := filepath.Abs(step.WorkingDir)
 	if err != nil {
 		return nil, err
 	}
-	env = append(env, "PWD="+pwd)
+	posixEnv = append(posixEnv, "PWD="+pwd)
 
 	cmd := exec.CommandContext(ctx, name, args...)
 	cmd.Dir = pwd
-	cmd.Env = env
+	cmd.Env = posixEnv
 	cmd.Stdout = os.Stdout
 	if r.Stdout != nil {
 		cmd.Stdout = r.Stdout
@@ -138,7 +140,8 @@ func (r *CommandRunner) runStep(ctx context.Context, step *CommandStep, dry bool
 	}
 
 	return &CommandStep{
-		Command:    append([]string{name}, args...),
+		Command: append([]string{name}, args...),
+		// NOTE: We don't actually include POSIX env vars as they are redundant.
 		Env:        env,
 		WorkingDir: pwd,
 	}, nil

internal/runner/runner_test.go

@@ -32,6 +32,7 @@ func TestCommandRunner_StepEnv(t *testing.T) {
 				Command: []string{"bash", "-c", "echo -n $TEST"},
 				// NOTE: this overrides other env var.
 				Env: []string{"TEST=fuga"},
+				// NOTE: WorkingDir default to CWD
 			},
 		},
 		Stdout: out,
@@ -51,7 +52,7 @@ func TestCommandRunner_StepEnv(t *testing.T) {
 		{
 			Command: []string{"bash", "-c", "echo -n $TEST"},
 			// TODO(https://github.com/slsa-framework/slsa-github-generator/issues/782): de-duplicate env.
-			Env:        []string{"TEST=hoge", "TEST=fuga", "PWD=" + pwd},
+			Env:        []string{"TEST=hoge", "TEST=fuga"},
 			WorkingDir: pwd,
 		},
 	})
@@ -73,6 +74,7 @@ func TestCommandRunner_RunnerEnv(t *testing.T) {
 				Command: []string{"bash", "-c", "echo -n $STEP"},
 				// NOTE: this overrides other env var.
 				Env: []string{"STEP=fuga"},
+				// NOTE: WorkingDir default to CWD
 			},
 		},
 		Stdout: out,
@@ -91,7 +93,7 @@ func TestCommandRunner_RunnerEnv(t *testing.T) {
 	diff := cmp.Diff(steps, []*CommandStep{
 		{
 			Command:    []string{"bash", "-c", "echo -n $STEP"},
-			Env:        []string{"RUNNER=hoge", "STEP=fuga", "PWD=" + pwd},
+			Env:        []string{"RUNNER=hoge", "STEP=fuga"},
 			WorkingDir: pwd,
 		},
 	})
@@ -133,12 +135,12 @@ func TestCommandRunner_RunnerMulti(t *testing.T) {
 	diff := cmp.Diff(steps, []*CommandStep{
 		{
 			Command:    []string{"bash", "-c", "echo $STEP1"},
-			Env:        []string{"STEP1=hoge", "PWD=" + pwd},
+			Env:        []string{"STEP1=hoge"},
 			WorkingDir: pwd,
 		},
 		{
 			Command:    []string{"bash", "-c", "echo $STEP2"},
-			Env:        []string{"STEP2=fuga", "PWD=" + pwd},
+			Env:        []string{"STEP2=fuga"},
 			WorkingDir: pwd,
 		},
 	})