From f9125842e53d07dbae5c885131d833f3fa1d64e4 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 24 Jul 2023 19:22:00 +0000 Subject: [PATCH 01/36] update Signed-off-by: laurentsimon --- ...023-08-07-bring-your-own-builder-github.md | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 docs/_posts/2023-08-07-bring-your-own-builder-github.md diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md new file mode 100644 index 000000000..f90e74f3f --- /dev/null +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -0,0 +1,92 @@ +title: "Build your own SLSA 3+ provenance builder on GitHub Actions" +author: "Andres Almiray (JReleaser), Adam Korczynski (AdaLogics), Philip Harrison (GitHub), Laurent Simon (Google)" +is_guest_post: false +--- + +It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](https://slsa.dev/blog/2023/04/slsa-v1-final), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](https://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [containers](https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based)! + +SLSA now provides and maintains official builders for [Go](https://slsa.dev/blog/2022/06/slsa-github-workflows), [Node.js](https://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based) based projects, but what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? + +To empower the community to create their own provenance builders and leverage the secure architecture of of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). + +As a tool or ecosystem maintainer you can focus on enabling your ecosystem to produce SLSA Level 3 provenance attestations without needing to worry about keeping signing keys secure, isolation between builds, and the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. + +To demonstrate the flexibility of this framework, we are also announcing three SLSA builders created by [community contributors](https://github.com/laurentsimon/slsa-github-generator/blob/feat/hof/README.md#builder-creation) for the Java ecosystems. + +# Build Your Own Builder Framework + +The BYOB framework provides a set of GitHub Actions and workflows that a builder calls to generate provenance. The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as a dispatcher. + +![BYOB architecture](https://user-images.githubusercontent.com/TODO) + +There are two main steps to using the BYOB framework. First, you initialize the BYOB framework ("Initialize" box on the left). Then you call the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. + +Let's see each of these steps in more detail. + +The snippet below shows how the initialization step is performed: the builder initializes the BYOB framework for the ubuntu-latest runner, with a build Action path "./internal/callback_action" and asks it to attest to its inputs. At runtime, the BYOB framework will isolate the "./internal/callback_action" into an ephemeral VM and run it on an ubuntu-latest runner. The call below returns a so-called "slsa-token" object which can then be used to run the framework itself. + +```yaml +uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@v1.8.0 + with: + ... + slsa-runner-label: "ubuntu-latest" + slsa-build-action-path: "./internal/callback_action" + slsa-workflow-inputs: ${{ toJson(inputs) }} +``` + +The second step is to run the BYOB framework with the initialized "slsa-token": + +```yaml +uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.8.0 + with: + slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} + secrets: + secret1: ${{ inputs.password }} + secret2: ${{ inputs.token }} +``` + +When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder (more information is available in our [documentation]https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). + +# SLSA Java builders for JReleaser, Maven and Gradle + +To validate the design of the BYOB framework and demonstrate its flexibility, we have partnered with new contributors to create three new builders for the [Java ecosystems](https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#builder-creation): + +1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. + +2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [AdaLogics](https://adalogics.com). This repository is currently hosted in the OpenSSF SLSA repository. + +3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [AdaLogics](https://adalogics.com). This repository is currently hosted in the OpenSSF SLSA repository. + +These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). + +## Verification for your projects + +Below is an example for verifying provenance generated by the Maven builder: You will need to know the link of the artifact from the platform it has been distributed to. For Java artifacts, this will typically be Maven central, but you can also verify artifacts released on other platforms like Github. + +Maven Central allows you to browse the files of each release, and from there you can find the artifacts along with their provenance files: + +![Maven provenance link](https://user-images.githubusercontent.com/TODO) + +Once you have the link to the artifact, you can verify it as follows: + +```shell +$ export ARTIFACT=test-artifact-0.1.0-jar +$ export ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" +$ export PROVENANCE_URL=”${ARTIFACT_URL}”.build.slsa +$ wget “${ARTIFACT_URL}” && wget “${PROVENANCE_URL}” +$ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo +``` + +## Verification for your dependencies + +A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. +The plugin automatically performs the verification when configured in the ["pom.xml"](TODO:link to doc). Or it may be run [manually](TODO:link to doc). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). + +The plugin is still POC, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem. + +## Conclusion +Thanks to the BYOB framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations! + +If you are a maintainer of an existing GitHub Action, try it out by following the [BYOB documentation](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) and don't hesitate to report issues or ask questions on the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/issues) repository. + +**Special thanks**: Zach Steindler (GitHub), Ian Lewis, Asra Ali, Appu Goundan (Google) for the help landing this feature (design, reviews, implementation, etc)! From 569e06d76ecf8d6c0e37dd3873ec06f65257646e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 24 Jul 2023 19:27:36 +0000 Subject: [PATCH 02/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index f90e74f3f..235bdf283 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -17,7 +17,7 @@ To demonstrate the flexibility of this framework, we are also announcing three S The BYOB framework provides a set of GitHub Actions and workflows that a builder calls to generate provenance. The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as a dispatcher. -![BYOB architecture](https://user-images.githubusercontent.com/TODO) +![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/2e8bc2a1-3a83-4e67-8254-578ecb980d61) There are two main steps to using the BYOB framework. First, you initialize the BYOB framework ("Initialize" box on the left). Then you call the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. @@ -65,7 +65,7 @@ Below is an example for verifying provenance generated by the Maven builder: You Maven Central allows you to browse the files of each release, and from there you can find the artifacts along with their provenance files: -![Maven provenance link](https://user-images.githubusercontent.com/TODO) +![Maven provenance link](https://github.com/slsa-framework/slsa/assets/64505099/14ff1de1-a30c-4683-860c-352dc490c1ef) Once you have the link to the artifact, you can verify it as follows: From 37f4565f8dda4d804a2e2a38fbacb6d676ec7dc0 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 24 Jul 2023 19:30:43 +0000 Subject: [PATCH 03/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 235bdf283..ab7f5a1c3 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -7,7 +7,7 @@ It has been an exciting quarter for supply chain security and SLSA, with the rel SLSA now provides and maintains official builders for [Go](https://slsa.dev/blog/2022/06/slsa-github-workflows), [Node.js](https://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based) based projects, but what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? -To empower the community to create their own provenance builders and leverage the secure architecture of of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). +To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). As a tool or ecosystem maintainer you can focus on enabling your ecosystem to produce SLSA Level 3 provenance attestations without needing to worry about keeping signing keys secure, isolation between builds, and the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. @@ -17,7 +17,7 @@ To demonstrate the flexibility of this framework, we are also announcing three S The BYOB framework provides a set of GitHub Actions and workflows that a builder calls to generate provenance. The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as a dispatcher. -![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/2e8bc2a1-3a83-4e67-8254-578ecb980d61) +![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/51c796e3-754e-4cd8-b2ea-dd8c23662411) There are two main steps to using the BYOB framework. First, you initialize the BYOB framework ("Initialize" box on the left). Then you call the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. From d03953d552d1854f342a68369f50c618e0e250fb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 24 Jul 2023 19:35:22 +0000 Subject: [PATCH 04/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index ab7f5a1c3..20ee13224 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -45,7 +45,7 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_s secret2: ${{ inputs.token }} ``` -When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder (more information is available in our [documentation]https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). +When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder. More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). # SLSA Java builders for JReleaser, Maven and Gradle @@ -72,8 +72,8 @@ Once you have the link to the artifact, you can verify it as follows: ```shell $ export ARTIFACT=test-artifact-0.1.0-jar $ export ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" -$ export PROVENANCE_URL=”${ARTIFACT_URL}”.build.slsa -$ wget “${ARTIFACT_URL}” && wget “${PROVENANCE_URL}” +$ export PROVENANCE_URL="${ARTIFACT_URL}".build.slsa +$ wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" $ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo ``` From 2d2defe49690fa15703bfae6dbace43b13bdc935 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 24 Jul 2023 19:41:17 +0000 Subject: [PATCH 05/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 20ee13224..eb64c8f1f 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -1,3 +1,4 @@ +--- title: "Build your own SLSA 3+ provenance builder on GitHub Actions" author: "Andres Almiray (JReleaser), Adam Korczynski (AdaLogics), Philip Harrison (GitHub), Laurent Simon (Google)" is_guest_post: false From fee5cb60a473feadd6761d722167e9b6a96e97c0 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 25 Jul 2023 07:32:44 -0700 Subject: [PATCH 06/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Mark Lodato Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index eb64c8f1f..bc4a7bea0 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -71,9 +71,9 @@ Maven Central allows you to browse the files of each release, and from there you Once you have the link to the artifact, you can verify it as follows: ```shell -$ export ARTIFACT=test-artifact-0.1.0-jar -$ export ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" -$ export PROVENANCE_URL="${ARTIFACT_URL}".build.slsa +$ ARTIFACT=test-artifact-0.1.0-jar +$ ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" +$ PROVENANCE_URL="${ARTIFACT_URL}".build.slsa $ wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" $ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo ``` From 4e9022bcef7838e0c44bc7c38b836f01bbc18678 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 25 Jul 2023 07:38:01 -0700 Subject: [PATCH 07/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Mark Lodato Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index bc4a7bea0..81cf262d1 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -83,7 +83,7 @@ $ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.bui A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. The plugin automatically performs the verification when configured in the ["pom.xml"](TODO:link to doc). Or it may be run [manually](TODO:link to doc). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). -The plugin is still POC, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem. +The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem. ## Conclusion Thanks to the BYOB framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations! From 8431093f34b09f1c1ec11a15bc56effb0e57fbd8 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 25 Jul 2023 07:39:11 -0700 Subject: [PATCH 08/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Mark Lodato Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 81cf262d1..e1590c84c 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -86,6 +86,7 @@ The plugin automatically performs the verification when configured in the ["pom. The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem. ## Conclusion + Thanks to the BYOB framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations! If you are a maintainer of an existing GitHub Action, try it out by following the [BYOB documentation](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) and don't hesitate to report issues or ask questions on the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/issues) repository. From 768ad9a45c02d14a45cbe35df5e8cd7835915ff8 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 25 Jul 2023 14:46:24 +0000 Subject: [PATCH 09/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index e1590c84c..242a3f81d 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -14,7 +14,7 @@ As a tool or ecosystem maintainer you can focus on enabling your ecosystem to pr To demonstrate the flexibility of this framework, we are also announcing three SLSA builders created by [community contributors](https://github.com/laurentsimon/slsa-github-generator/blob/feat/hof/README.md#builder-creation) for the Java ecosystems. -# Build Your Own Builder Framework +## Build Your Own Builder Framework The BYOB framework provides a set of GitHub Actions and workflows that a builder calls to generate provenance. The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as a dispatcher. @@ -48,7 +48,7 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_s When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder. More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). -# SLSA Java builders for JReleaser, Maven and Gradle +## SLSA Java builders for JReleaser, Maven and Gradle To validate the design of the BYOB framework and demonstrate its flexibility, we have partnered with new contributors to create three new builders for the [Java ecosystems](https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#builder-creation): @@ -60,7 +60,7 @@ To validate the design of the BYOB framework and demonstrate its flexibility, we These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). -## Verification for your projects +### Verification for your projects Below is an example for verifying provenance generated by the Maven builder: You will need to know the link of the artifact from the platform it has been distributed to. For Java artifacts, this will typically be Maven central, but you can also verify artifacts released on other platforms like Github. @@ -78,7 +78,7 @@ $ wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" $ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo ``` -## Verification for your dependencies +### Verification for your dependencies A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. The plugin automatically performs the verification when configured in the ["pom.xml"](TODO:link to doc). Or it may be run [manually](TODO:link to doc). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). From 0bac9e235752b2da705cb770748bd610eee87129 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 25 Jul 2023 10:43:23 -0700 Subject: [PATCH 10/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Mark Lodato Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 242a3f81d..3ea817134 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -4,7 +4,7 @@ author: "Andres Almiray (JReleaser), Adam Korczynski (AdaLogics), Philip Harriso is_guest_post: false --- -It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](https://slsa.dev/blog/2023/04/slsa-v1-final), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](https://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [containers](https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based)! +It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! SLSA now provides and maintains official builders for [Go](https://slsa.dev/blog/2022/06/slsa-github-workflows), [Node.js](https://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based) based projects, but what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? From 38f1c4862791954becfd59d8ee555a38c500812c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 25 Jul 2023 21:33:50 +0000 Subject: [PATCH 11/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 3ea817134..b7ca3ec64 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -6,7 +6,7 @@ is_guest_post: false It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! -SLSA now provides and maintains official builders for [Go](https://slsa.dev/blog/2022/06/slsa-github-workflows), [Node.js](https://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based) based projects, but what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? +SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects, but what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). From 5794e69cedba5211685751cb332f94b3c22cfe27 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 26 Jul 2023 21:12:19 +0000 Subject: [PATCH 12/36] explain BYOB benefits Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index b7ca3ec64..ec26dff3e 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -6,11 +6,12 @@ is_guest_post: false It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! -SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects, but what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? +SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects. +But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). -As a tool or ecosystem maintainer you can focus on enabling your ecosystem to produce SLSA Level 3 provenance attestations without needing to worry about keeping signing keys secure, isolation between builds, and the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. +Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process by cutting the development time down to a few days. As a builder writer, you need not worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. To demonstrate the flexibility of this framework, we are also announcing three SLSA builders created by [community contributors](https://github.com/laurentsimon/slsa-github-generator/blob/feat/hof/README.md#builder-creation) for the Java ecosystems. From ae30e015a283daf04eec96a87d93e761cd89f06e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 26 Jul 2023 21:13:22 +0000 Subject: [PATCH 13/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index ec26dff3e..4fac4487c 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -11,7 +11,7 @@ But what if you don't use any of these languages or use custom tooling that isn' To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). -Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process by cutting the development time down to a few days. As a builder writer, you need not worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. +Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder writer, you need not worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. To demonstrate the flexibility of this framework, we are also announcing three SLSA builders created by [community contributors](https://github.com/laurentsimon/slsa-github-generator/blob/feat/hof/README.md#builder-creation) for the Java ecosystems. From 6571787f4f9b42f8559284352ffa4e891bc22e87 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 26 Jul 2023 21:26:58 +0000 Subject: [PATCH 14/36] update Signed-off-by: laurentsimon --- .../2023-08-07-bring-your-own-builder-github.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 4fac4487c..f4516abd9 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -17,11 +17,18 @@ To demonstrate the flexibility of this framework, we are also announcing three S ## Build Your Own Builder Framework -The BYOB framework provides a set of GitHub Actions and workflows that a builder calls to generate provenance. The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as a dispatcher. +The BYOB framework benefits both GitHub Action maintainers and GitHub Action users: + +1. For a Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3). +1. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. + +The BYOB framework provides a set of GitHub Actions and workflows that helps builder writers generate provenance. + +The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as an orchestrator. ![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/51c796e3-754e-4cd8-b2ea-dd8c23662411) -There are two main steps to using the BYOB framework. First, you initialize the BYOB framework ("Initialize" box on the left). Then you call the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. +There are two main steps to using the BYOB framework. First, the builder (`builder_workflow.yml`) initializes the BYOB framework ("Initialize" box on the left). Then you call the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. Let's see each of these steps in more detail. From ccf52608b2691dc757a11d7e9c63d432deae4bd9 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 26 Jul 2023 21:28:10 +0000 Subject: [PATCH 15/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index f4516abd9..91df0dc47 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -19,7 +19,7 @@ To demonstrate the flexibility of this framework, we are also announcing three S The BYOB framework benefits both GitHub Action maintainers and GitHub Action users: -1. For a Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3). +1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3). 1. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. The BYOB framework provides a set of GitHub Actions and workflows that helps builder writers generate provenance. From f4d7756cced9b8fa3daac468faad981699ca6eee Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 26 Jul 2023 21:28:53 +0000 Subject: [PATCH 16/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 91df0dc47..1c0b366e6 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -28,7 +28,7 @@ The high-level architecture is depicted in the diagram below. The `builder_workf ![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/51c796e3-754e-4cd8-b2ea-dd8c23662411) -There are two main steps to using the BYOB framework. First, the builder (`builder_workflow.yml`) initializes the BYOB framework ("Initialize" box on the left). Then you call the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. +There are two main steps to using the BYOB framework. First, the builder (`builder_workflow.yml`) initializes the BYOB framework ("Initialize" box on the left). Then it calls the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. Let's see each of these steps in more detail. From 3f6a1ad55689cfe3e150c7876ede16350d4444d0 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 28 Jul 2023 15:25:33 +0000 Subject: [PATCH 17/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 1c0b366e6..eb84da5c1 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -60,17 +60,17 @@ When the run completes, the BYOB framework will generate a list of attestations To validate the design of the BYOB framework and demonstrate its flexibility, we have partnered with new contributors to create three new builders for the [Java ecosystems](https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#builder-creation): -1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. +1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into a SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. -2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [AdaLogics](https://adalogics.com). This repository is currently hosted in the OpenSSF SLSA repository. +2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. -3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [AdaLogics](https://adalogics.com). This repository is currently hosted in the OpenSSF SLSA repository. +3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). ### Verification for your projects -Below is an example for verifying provenance generated by the Maven builder: You will need to know the link of the artifact from the platform it has been distributed to. For Java artifacts, this will typically be Maven central, but you can also verify artifacts released on other platforms like Github. +Below is an example for verifying provenance generated by the Maven builder: You will need to know the link of the artifact from the platform it has been distributed to. For Java artifacts, this will typically be Maven central, but you can also verify artifacts released on other platforms like Github. Maven Central allows you to browse the files of each release, and from there you can find the artifacts along with their provenance files: From ca0e08e895fa61bec79b3eb8908cece5950a0da7 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Fri, 28 Jul 2023 08:30:05 -0700 Subject: [PATCH 18/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Philip Harrison Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index eb84da5c1..fdc05042d 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -22,7 +22,7 @@ The BYOB framework benefits both GitHub Action maintainers and GitHub Action use 1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3). 1. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. -The BYOB framework provides a set of GitHub Actions and workflows that helps builder writers generate provenance. +The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as an orchestrator. From a8ce2c8c1841eee8f5a8b90baaccc8cfb1b4a0a9 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Fri, 28 Jul 2023 08:30:32 -0700 Subject: [PATCH 19/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Philip Harrison Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index fdc05042d..99d5be539 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -89,6 +89,7 @@ $ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.bui ### Verification for your dependencies A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. + The plugin automatically performs the verification when configured in the ["pom.xml"](TODO:link to doc). Or it may be run [manually](TODO:link to doc). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem. From 50045878d5ca380ac3329d28c6ea94d4d2b3956c Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Fri, 28 Jul 2023 08:30:43 -0700 Subject: [PATCH 20/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Philip Harrison Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 99d5be539..e520cfb68 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -19,7 +19,7 @@ To demonstrate the flexibility of this framework, we are also announcing three S The BYOB framework benefits both GitHub Action maintainers and GitHub Action users: -1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3). +1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3) requirements. 1. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. From 5020a2186a796b3386b2d67eced29df3a195f637 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Fri, 28 Jul 2023 08:30:54 -0700 Subject: [PATCH 21/36] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Philip Harrison Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index e520cfb68..06ef58732 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -11,7 +11,7 @@ But what if you don't use any of these languages or use custom tooling that isn' To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). -Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder writer, you need not worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. +Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. To demonstrate the flexibility of this framework, we are also announcing three SLSA builders created by [community contributors](https://github.com/laurentsimon/slsa-github-generator/blob/feat/hof/README.md#builder-creation) for the Java ecosystems. From 8968614118cdf0e67ab5551e2f2d0972c62ccca1 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 17:21:51 +0000 Subject: [PATCH 22/36] Fix dollar sign Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 06ef58732..dee206c53 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -40,7 +40,7 @@ uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@v1.8. ... slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/callback_action" - slsa-workflow-inputs: ${{ toJson(inputs) }} + slsa-workflow-inputs: {% raw %} ${{ toJson(inputs) }} {% endraw %} ``` The second step is to run the BYOB framework with the initialized "slsa-token": @@ -48,10 +48,10 @@ The second step is to run the BYOB framework with the initialized "slsa-token": ```yaml uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.8.0 with: - slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} + slsa-token: {% raw %} ${{ needs.slsa-setup.outputs.slsa-token }} {% endraw %} secrets: - secret1: ${{ inputs.password }} - secret2: ${{ inputs.token }} + secret1: {% raw %} ${{ inputs.password }} {% endraw %} + secret2: {% raw %} ${{ inputs.token }} {% endraw %} ``` When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder. More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). From 04f90f8f664472734257b10e6d5b35ace9f04546 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 17:31:19 +0000 Subject: [PATCH 23/36] Fix dollar sign Signed-off-by: laurentsimon --- ...023-08-07-bring-your-own-builder-github.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index dee206c53..ffc4e9889 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -4,7 +4,7 @@ author: "Andres Almiray (JReleaser), Adam Korczynski (AdaLogics), Philip Harriso is_guest_post: false --- -It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! +It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? @@ -19,12 +19,12 @@ To demonstrate the flexibility of this framework, we are also announcing three S The BYOB framework benefits both GitHub Action maintainers and GitHub Action users: -1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3) requirements. -1. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. +1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3) requirements. +2. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. -The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as an orchestrator. +The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as an orchestrator. ![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/51c796e3-754e-4cd8-b2ea-dd8c23662411) @@ -40,7 +40,7 @@ uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@v1.8. ... slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/callback_action" - slsa-workflow-inputs: {% raw %} ${{ toJson(inputs) }} {% endraw %} + slsa-workflow-inputs: {% raw %}${{ toJson(inputs) }}{% endraw %} ``` The second step is to run the BYOB framework with the initialized "slsa-token": @@ -48,10 +48,10 @@ The second step is to run the BYOB framework with the initialized "slsa-token": ```yaml uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.8.0 with: - slsa-token: {% raw %} ${{ needs.slsa-setup.outputs.slsa-token }} {% endraw %} + slsa-token: {% raw %}${{ needs.slsa-setup.outputs.slsa-token }}{% endraw %} secrets: - secret1: {% raw %} ${{ inputs.password }} {% endraw %} - secret2: {% raw %} ${{ inputs.token }} {% endraw %} + secret1: {% raw %}${{ inputs.password }}{% endraw %} + secret2: {% raw %}${{ inputs.token }}{% endraw %} ``` When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder. More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). @@ -60,11 +60,11 @@ When the run completes, the BYOB framework will generate a list of attestations To validate the design of the BYOB framework and demonstrate its flexibility, we have partnered with new contributors to create three new builders for the [Java ecosystems](https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#builder-creation): -1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into a SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. +1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into a SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. -2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. +2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. -3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. +3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). @@ -79,25 +79,25 @@ Maven Central allows you to browse the files of each release, and from there you Once you have the link to the artifact, you can verify it as follows: ```shell -$ ARTIFACT=test-artifact-0.1.0-jar -$ ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" -$ PROVENANCE_URL="${ARTIFACT_URL}".build.slsa -$ wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" -$ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo +ARTIFACT=test-artifact-0.1.0-jar +ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" +PROVENANCE_URL="${ARTIFACT_URL}".build.slsa +wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" +slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo ``` ### Verification for your dependencies A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. -The plugin automatically performs the verification when configured in the ["pom.xml"](TODO:link to doc). Or it may be run [manually](TODO:link to doc). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). +The plugin automatically performs the verification when configured in the ["pom.xml"](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#integrating-it-into-your-maven-build-cycle). Or it may be run [manually](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#using-the-maven-verification-plugin). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem. ## Conclusion -Thanks to the BYOB framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations! +Thanks to the BYOB framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations! -If you are a maintainer of an existing GitHub Action, try it out by following the [BYOB documentation](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) and don't hesitate to report issues or ask questions on the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/issues) repository. +If you are a maintainer of an existing GitHub Action, try it out by following the [BYOB documentation](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) and don't hesitate to report issues or ask questions on the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/issues) repository. **Special thanks**: Zach Steindler (GitHub), Ian Lewis, Asra Ali, Appu Goundan (Google) for the help landing this feature (design, reviews, implementation, etc)! From 9ab12f99994a4c2bea78d6605acebe7ab3dc86d7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 17:34:42 +0000 Subject: [PATCH 24/36] Remove slsa.dev from links Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index ffc4e9889..ff7a314b2 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -9,7 +9,7 @@ It has been an exciting quarter for supply chain security and SLSA, with the rel SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? -To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](https://slsa.dev/spec/v1.0/requirements#provenance-generation). +To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. @@ -19,7 +19,7 @@ To demonstrate the flexibility of this framework, we are also announcing three S The BYOB framework benefits both GitHub Action maintainers and GitHub Action users: -1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](https://slsa.dev/spec/v1.0/levels#build-l3) requirements. +1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](/spec/v1.0/levels#build-l3) requirements. 2. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. From 63d12b8d5990c45c4497a15dffffbed6192366ac Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 20:36:59 +0000 Subject: [PATCH 25/36] Remove 'you' Signed-off-by: laurentsimon --- .../2023-08-07-bring-your-own-builder-github.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index ff7a314b2..eb34b01da 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -6,8 +6,7 @@ is_guest_post: false It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! -SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects. -But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? +SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). @@ -68,15 +67,13 @@ To validate the design of the BYOB framework and demonstrate its flexibility, we These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). -### Verification for your projects +### Verification of Artifact -Below is an example for verifying provenance generated by the Maven builder: You will need to know the link of the artifact from the platform it has been distributed to. For Java artifacts, this will typically be Maven central, but you can also verify artifacts released on other platforms like Github. - -Maven Central allows you to browse the files of each release, and from there you can find the artifacts along with their provenance files: +To verify the provenance of an artifact built by the Maven builder, we need to download the artifact and its provenance. In this example, we download them from Maven central. Maven Central lets users browse the files of each release, and from there we can find the artifacts along with their provenance files: ![Maven provenance link](https://github.com/slsa-framework/slsa/assets/64505099/14ff1de1-a30c-4683-860c-352dc490c1ef) -Once you have the link to the artifact, you can verify it as follows: +We download and verify it as follows: ```shell ARTIFACT=test-artifact-0.1.0-jar @@ -86,13 +83,13 @@ wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo ``` -### Verification for your dependencies +### Verification of Dependencies A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. The plugin automatically performs the verification when configured in the ["pom.xml"](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#integrating-it-into-your-maven-build-cycle). Or it may be run [manually](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#using-the-maven-verification-plugin). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). -The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem. +The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, we have built an end-to-end solution for an entire ecosystem. ## Conclusion From 9b1f941a9e38886b6771ba9883c8ae56efbd72cd Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 21:28:00 +0000 Subject: [PATCH 26/36] Add moew diagrams Signed-off-by: laurentsimon --- ...023-08-07-bring-your-own-builder-github.md | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index eb34b01da..d05747ae9 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -6,9 +6,10 @@ is_guest_post: false It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! -SLSA now provides and maintains official builders for [Go](2022/06/slsa-github-workflows), [Node.js](2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem) and [Container](2023/06/slsa-github-worfklows-container-based) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? +SLSA now provides and maintains official builders for [Go](2022-06-20-slsa-github-workflows.md), [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [Container](2023-06-13-slsa-github-worfklows-container-based.md) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? -To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). + +To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" (BYOB) framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. @@ -21,24 +22,30 @@ The BYOB framework benefits both GitHub Action maintainers and GitHub Action use 1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](/spec/v1.0/levels#build-l3) requirements. 2. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. -The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. +The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. Suppose you own a GitHub Action called `MyAction` and want to generate provenance showing that it ran on some input and generated some output, without having to trust the Workflow that called your Action. This is not possible using a regular Action because Actions run under the control of the calling Workflow: this option is depicted in the diagram below, where a project's `release.yml` workflow calls `MyAction`. + +![release-action](https://github.com/slsa-framework/slsa/assets/64505099/d6b42c6e-637a-4bb0-a19e-852882dde9c1) + +To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA go, Node.js, and container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the reusable workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. + +![action-reusable](https://github.com/slsa-framework/slsa/assets/64505099/a0603e5f-4ebb-4c93-8216-b63f22bcf08d) -The high-level architecture is depicted in the diagram below. The `builder_workflow.yml` represents the builder being created. The BYOB framework, on the right of the diagram, acts as an orchestrator. +However, this is a lot of work that requires careful design and implementation. That's where the BYOB framework comes in! BYOB offloads all of the security critical work so that you can wrap your Action in a Reusable Workflow and call BYOB to do the heavy lifting. This high-level architecture is depicted in the diagram below: The `MyReusableWorkflow` calls the `BYOBWorkflow` which acts as an orchestrator. -![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/51c796e3-754e-4cd8-b2ea-dd8c23662411) +![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/9d0a8133-ae1a-4b43-b7a1-5090e263eb47) -There are two main steps to using the BYOB framework. First, the builder (`builder_workflow.yml`) initializes the BYOB framework ("Initialize" box on the left). Then it calls the framework ("Run" box on the left). Running the framework transfers execution to the BYOB framework which will run the build in an isolated environment and then generate provenance. +There are two main steps to using the BYOB framework. First, the builder (`MyReusableWorkflow`) initializes the BYOB framework ("BYOB_Initialize" box in the middle box). Then it calls the framework ("BYOB_Run" box). Running the framework transfers execution to the BYOB framework which will run the `MyAction` in an isolated environment and then generate provenance. Let's see each of these steps in more detail. -The snippet below shows how the initialization step is performed: the builder initializes the BYOB framework for the ubuntu-latest runner, with a build Action path "./internal/callback_action" and asks it to attest to its inputs. At runtime, the BYOB framework will isolate the "./internal/callback_action" into an ephemeral VM and run it on an ubuntu-latest runner. The call below returns a so-called "slsa-token" object which can then be used to run the framework itself. +The snippet below shows how the initialization step is performed: the builder `MyReusableWorkflow` initializes the BYOB framework for the ubuntu-latest runner, with a build Action path `MyAction` and asks it to attest to its inputs. At runtime, the BYOB framework will isolate the `MyAction` into an ephemeral VM and run it on an ubuntu-latest runner. The call below returns a so-called "slsa-token" object which can then be used to run the framework itself. ```yaml uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@v1.8.0 with: ... slsa-runner-label: "ubuntu-latest" - slsa-build-action-path: "./internal/callback_action" + slsa-build-action-path: "path/to/MyAction" slsa-workflow-inputs: {% raw %}${{ toJson(inputs) }}{% endraw %} ``` @@ -53,7 +60,7 @@ uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_s secret2: {% raw %}${{ inputs.token }}{% endraw %} ``` -When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder. More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). +When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder (`MyReusableWorkflow`). More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). ## SLSA Java builders for JReleaser, Maven and Gradle From 6caa51b2b25e6057a869ec8a3df88d915f65d460 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 21:29:42 +0000 Subject: [PATCH 27/36] Update diagram Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index d05747ae9..14268afe5 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -24,7 +24,8 @@ The BYOB framework benefits both GitHub Action maintainers and GitHub Action use The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. Suppose you own a GitHub Action called `MyAction` and want to generate provenance showing that it ran on some input and generated some output, without having to trust the Workflow that called your Action. This is not possible using a regular Action because Actions run under the control of the calling Workflow: this option is depicted in the diagram below, where a project's `release.yml` workflow calls `MyAction`. -![release-action](https://github.com/slsa-framework/slsa/assets/64505099/d6b42c6e-637a-4bb0-a19e-852882dde9c1) +![action-release](https://github.com/slsa-framework/slsa/assets/64505099/367ecc46-28f6-4029-853e-161a028e6a35) + To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA go, Node.js, and container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the reusable workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. From a3bd8815ab3ea70cfb746e7017e8a4569d482712 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 21:30:10 +0000 Subject: [PATCH 28/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 14268afe5..d3606c90a 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -8,7 +8,6 @@ It has been an exciting quarter for supply chain security and SLSA, with the rel SLSA now provides and maintains official builders for [Go](2022-06-20-slsa-github-workflows.md), [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [Container](2023-06-13-slsa-github-worfklows-container-based.md) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? - To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" (BYOB) framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. @@ -26,7 +25,6 @@ The BYOB framework provides a set of GitHub Actions and workflows that helps bui ![action-release](https://github.com/slsa-framework/slsa/assets/64505099/367ecc46-28f6-4029-853e-161a028e6a35) - To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA go, Node.js, and container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the reusable workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. ![action-reusable](https://github.com/slsa-framework/slsa/assets/64505099/a0603e5f-4ebb-4c93-8216-b63f22bcf08d) From 09208c8396f2e71bf3f280e5a071c777c6b6e155 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 21:34:54 +0000 Subject: [PATCH 29/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index d3606c90a..a42069da3 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -1,6 +1,6 @@ --- title: "Build your own SLSA 3+ provenance builder on GitHub Actions" -author: "Andres Almiray (JReleaser), Adam Korczynski (AdaLogics), Philip Harrison (GitHub), Laurent Simon (Google)" +author: "Andres Almiray (JReleaser), Adam Korczynski (Ada Logics), Philip Harrison (GitHub), Laurent Simon (Google)" is_guest_post: false --- @@ -33,7 +33,7 @@ However, this is a lot of work that requires careful design and implementation. ![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/9d0a8133-ae1a-4b43-b7a1-5090e263eb47) -There are two main steps to using the BYOB framework. First, the builder (`MyReusableWorkflow`) initializes the BYOB framework ("BYOB_Initialize" box in the middle box). Then it calls the framework ("BYOB_Run" box). Running the framework transfers execution to the BYOB framework which will run the `MyAction` in an isolated environment and then generate provenance. +There are two main steps to using the BYOB framework. First, the builder (`MyReusableWorkflow`) initializes the BYOB framework (`BYOB_Initialize` box in the middle box). Then it calls the framework (`BYOB_Run` box). Running the framework transfers execution to the BYOB framework which will run the `MyAction` in an isolated environment and then generate provenance. Let's see each of these steps in more detail. @@ -67,9 +67,9 @@ To validate the design of the BYOB framework and demonstrate its flexibility, we 1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into a SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. -2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. +2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [Ada Logics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. -3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [AdaLogics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. +3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [Ada Logics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). From 1866e0b031666888ae97cfc5e994b82255f2df0d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 21:40:40 +0000 Subject: [PATCH 30/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index a42069da3..de46caf98 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -21,11 +21,11 @@ The BYOB framework benefits both GitHub Action maintainers and GitHub Action use 1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](/spec/v1.0/levels#build-l3) requirements. 2. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. -The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. Suppose you own a GitHub Action called `MyAction` and want to generate provenance showing that it ran on some input and generated some output, without having to trust the Workflow that called your Action. This is not possible using a regular Action because Actions run under the control of the calling Workflow: this option is depicted in the diagram below, where a project's `release.yml` workflow calls `MyAction`. +The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. Suppose you own a GitHub Action called `MyAction` and want to generate provenance showing that it ran on some input and generated some output, without having to trust the Workflow that called your Action. This is not possible using a regular Action because Actions run under the control of the calling Workflow (the diagram below depicts a project's `release.yml` workflow calling `MyAction`). ![action-release](https://github.com/slsa-framework/slsa/assets/64505099/367ecc46-28f6-4029-853e-161a028e6a35) -To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA go, Node.js, and container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the reusable workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. +To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA go, Node.js, and container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the Reusable Workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. ![action-reusable](https://github.com/slsa-framework/slsa/assets/64505099/a0603e5f-4ebb-4c93-8216-b63f22bcf08d) From 357c8daa42c882893423a49fd3da1fdc408e0cdd Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 1 Aug 2023 22:13:09 +0000 Subject: [PATCH 31/36] Explain verification Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index de46caf98..83ef38fc3 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -25,7 +25,7 @@ The BYOB framework provides a set of GitHub Actions and workflows that helps bui ![action-release](https://github.com/slsa-framework/slsa/assets/64505099/367ecc46-28f6-4029-853e-161a028e6a35) -To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA go, Node.js, and container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the Reusable Workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. +To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA Go, Node.js, and Container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the Reusable Workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. ![action-reusable](https://github.com/slsa-framework/slsa/assets/64505099/a0603e5f-4ebb-4c93-8216-b63f22bcf08d) @@ -79,14 +79,17 @@ To verify the provenance of an artifact built by the Maven builder, we need to d ![Maven provenance link](https://github.com/slsa-framework/slsa/assets/64505099/14ff1de1-a30c-4683-860c-352dc490c1ef) -We download and verify it as follows: +The [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) can be used to verify the provenance. The tool verifies the signature on the provenance and the source used to build the artifact, as per the [SLSA specifications](/spec/v1.0/verifying-artifacts). ```shell ARTIFACT=test-artifact-0.1.0-jar ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" PROVENANCE_URL="${ARTIFACT_URL}".build.slsa wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" -slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.build.slsa" --source-uri github.com/org/repo +slsa-verifier verify-artifact "${ARTIFACT}" \ + --provenance-path="${ARTIFACT}.build.slsa" \ + --source-uri github.com/org/repo \ + [--source-tag v1.2.3] ``` ### Verification of Dependencies From f5dc3f1f65278c28c1815d4163d91a4697d45af8 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 2 Aug 2023 18:09:37 +0000 Subject: [PATCH 32/36] update Signed-off-by: laurentsimon --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index 83ef38fc3..444e72db0 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -6,7 +6,7 @@ is_guest_post: false It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! -SLSA now provides and maintains official builders for [Go](2022-06-20-slsa-github-workflows.md), [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [Container](2023-06-13-slsa-github-worfklows-container-based.md) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? +SLSA already provides and maintains official builders for [Go](2022-06-20-slsa-github-workflows.md), [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [Container](2023-06-13-slsa-github-worfklows-container-based.md) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" (BYOB) framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). @@ -87,7 +87,7 @@ ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" PROVENANCE_URL="${ARTIFACT_URL}".build.slsa wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" slsa-verifier verify-artifact "${ARTIFACT}" \ - --provenance-path="${ARTIFACT}.build.slsa" \ + --provenance-path "${ARTIFACT}.build.slsa" \ --source-uri github.com/org/repo \ [--source-tag v1.2.3] ``` From 61ce857488c6a0982242b7016faa27a28550d5da Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Sat, 5 Aug 2023 03:17:43 +0000 Subject: [PATCH 33/36] push release date Signed-off-by: laurentsimon --- ...023-08-07-bring-your-own-builder-github.md | 109 ------------------ 1 file changed, 109 deletions(-) delete mode 100644 docs/_posts/2023-08-07-bring-your-own-builder-github.md diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md deleted file mode 100644 index 444e72db0..000000000 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ /dev/null @@ -1,109 +0,0 @@ ---- -title: "Build your own SLSA 3+ provenance builder on GitHub Actions" -author: "Andres Almiray (JReleaser), Adam Korczynski (Ada Logics), Philip Harrison (GitHub), Laurent Simon (Google)" -is_guest_post: false ---- - -It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! - -SLSA already provides and maintains official builders for [Go](2022-06-20-slsa-github-workflows.md), [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [Container](2023-06-13-slsa-github-worfklows-container-based.md) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? - -To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" (BYOB) framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). - -Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. - -To demonstrate the flexibility of this framework, we are also announcing three SLSA builders created by [community contributors](https://github.com/laurentsimon/slsa-github-generator/blob/feat/hof/README.md#builder-creation) for the Java ecosystems. - -## Build Your Own Builder Framework - -The BYOB framework benefits both GitHub Action maintainers and GitHub Action users: - -1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](/spec/v1.0/levels#build-l3) requirements. -2. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. - -The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. Suppose you own a GitHub Action called `MyAction` and want to generate provenance showing that it ran on some input and generated some output, without having to trust the Workflow that called your Action. This is not possible using a regular Action because Actions run under the control of the calling Workflow (the diagram below depicts a project's `release.yml` workflow calling `MyAction`). - -![action-release](https://github.com/slsa-framework/slsa/assets/64505099/367ecc46-28f6-4029-853e-161a028e6a35) - -To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA Go, Node.js, and Container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the Reusable Workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. - -![action-reusable](https://github.com/slsa-framework/slsa/assets/64505099/a0603e5f-4ebb-4c93-8216-b63f22bcf08d) - -However, this is a lot of work that requires careful design and implementation. That's where the BYOB framework comes in! BYOB offloads all of the security critical work so that you can wrap your Action in a Reusable Workflow and call BYOB to do the heavy lifting. This high-level architecture is depicted in the diagram below: The `MyReusableWorkflow` calls the `BYOBWorkflow` which acts as an orchestrator. - -![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/9d0a8133-ae1a-4b43-b7a1-5090e263eb47) - -There are two main steps to using the BYOB framework. First, the builder (`MyReusableWorkflow`) initializes the BYOB framework (`BYOB_Initialize` box in the middle box). Then it calls the framework (`BYOB_Run` box). Running the framework transfers execution to the BYOB framework which will run the `MyAction` in an isolated environment and then generate provenance. - -Let's see each of these steps in more detail. - -The snippet below shows how the initialization step is performed: the builder `MyReusableWorkflow` initializes the BYOB framework for the ubuntu-latest runner, with a build Action path `MyAction` and asks it to attest to its inputs. At runtime, the BYOB framework will isolate the `MyAction` into an ephemeral VM and run it on an ubuntu-latest runner. The call below returns a so-called "slsa-token" object which can then be used to run the framework itself. - -```yaml -uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@v1.8.0 - with: - ... - slsa-runner-label: "ubuntu-latest" - slsa-build-action-path: "path/to/MyAction" - slsa-workflow-inputs: {% raw %}${{ toJson(inputs) }}{% endraw %} -``` - -The second step is to run the BYOB framework with the initialized "slsa-token": - -```yaml -uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.8.0 - with: - slsa-token: {% raw %}${{ needs.slsa-setup.outputs.slsa-token }}{% endraw %} - secrets: - secret1: {% raw %}${{ inputs.password }}{% endraw %} - secret2: {% raw %}${{ inputs.token }}{% endraw %} -``` - -When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder (`MyReusableWorkflow`). More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). - -## SLSA Java builders for JReleaser, Maven and Gradle - -To validate the design of the BYOB framework and demonstrate its flexibility, we have partnered with new contributors to create three new builders for the [Java ecosystems](https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#builder-creation): - -1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into a SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. - -2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [Ada Logics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. - -3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [Ada Logics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. - -These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). - -### Verification of Artifact - -To verify the provenance of an artifact built by the Maven builder, we need to download the artifact and its provenance. In this example, we download them from Maven central. Maven Central lets users browse the files of each release, and from there we can find the artifacts along with their provenance files: - -![Maven provenance link](https://github.com/slsa-framework/slsa/assets/64505099/14ff1de1-a30c-4683-860c-352dc490c1ef) - -The [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) can be used to verify the provenance. The tool verifies the signature on the provenance and the source used to build the artifact, as per the [SLSA specifications](/spec/v1.0/verifying-artifacts). - -```shell -ARTIFACT=test-artifact-0.1.0-jar -ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" -PROVENANCE_URL="${ARTIFACT_URL}".build.slsa -wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" -slsa-verifier verify-artifact "${ARTIFACT}" \ - --provenance-path "${ARTIFACT}.build.slsa" \ - --source-uri github.com/org/repo \ - [--source-tag v1.2.3] -``` - -### Verification of Dependencies - -A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. - -The plugin automatically performs the verification when configured in the ["pom.xml"](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#integrating-it-into-your-maven-build-cycle). Or it may be run [manually](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#using-the-maven-verification-plugin). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). - -The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, we have built an end-to-end solution for an entire ecosystem. - -## Conclusion - -Thanks to the BYOB framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations! - -If you are a maintainer of an existing GitHub Action, try it out by following the [BYOB documentation](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) and don't hesitate to report issues or ask questions on the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/issues) repository. - -**Special thanks**: Zach Steindler (GitHub), Ian Lewis, Asra Ali, Appu Goundan (Google) for the help landing this feature (design, reviews, implementation, etc)! From 56177b6690348ddbcdcabaf8d2670c8a3049a90f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Sat, 12 Aug 2023 01:40:19 +0000 Subject: [PATCH 34/36] push date Signed-off-by: laurentsimon --- ...023-08-21-bring-your-own-builder-github.md | 109 ++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 docs/_posts/2023-08-21-bring-your-own-builder-github.md diff --git a/docs/_posts/2023-08-21-bring-your-own-builder-github.md b/docs/_posts/2023-08-21-bring-your-own-builder-github.md new file mode 100644 index 000000000..444e72db0 --- /dev/null +++ b/docs/_posts/2023-08-21-bring-your-own-builder-github.md @@ -0,0 +1,109 @@ +--- +title: "Build your own SLSA 3+ provenance builder on GitHub Actions" +author: "Andres Almiray (JReleaser), Adam Korczynski (Ada Logics), Philip Harrison (GitHub), Laurent Simon (Google)" +is_guest_post: false +--- + +It has been an exciting quarter for supply chain security and SLSA, with the release of the [SLSA v1.0 specification](2023-04-19-slsa-v1-final.md), [SLSA provenance support for npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/), and the announcement of new SLSA Level 3 builders for [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [containers](2023-06-13-slsa-github-worfklows-container-based.md)! + +SLSA already provides and maintains official builders for [Go](2022-06-20-slsa-github-workflows.md), [Node.js](2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md) and [Container](2023-06-13-slsa-github-worfklows-container-based.md) based projects. But what if you don't use any of these languages or use custom tooling that isn't supported by the official builders? + +To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the ["Build Your Own Builder" (BYOB) framework](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) for GitHub Actions. This makes it easy to take an existing GitHub Action (e.g. [JReleaser](https://jreleaser.org/)) and make it produce [SLSA Build Level 3 provenance](/spec/v1.0/requirements#provenance-generation). + +Writing a builder from scratch is a tedious multi-month effort. The BYOB framework streamlines this process and cuts the development time down to a few days. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework, using the [same security design principles](https://github.com/slsa-framework/slsa-github-generator/tree/main#specifications) as our existing builders. + +To demonstrate the flexibility of this framework, we are also announcing three SLSA builders created by [community contributors](https://github.com/laurentsimon/slsa-github-generator/blob/feat/hof/README.md#builder-creation) for the Java ecosystems. + +## Build Your Own Builder Framework + +The BYOB framework benefits both GitHub Action maintainers and GitHub Action users: + +1. For Action maintainers, it makes it easy to meet the [SLSA Build L3](/spec/v1.0/levels#build-l3) requirements. +2. For Action users, it makes it easy to adopt SLSA by trusting the BYOB project and the Action code - without worrying about which machine runs the Action. + +The BYOB framework provides a set of GitHub Actions and workflows that helps builder authors generate provenance. Suppose you own a GitHub Action called `MyAction` and want to generate provenance showing that it ran on some input and generated some output, without having to trust the Workflow that called your Action. This is not possible using a regular Action because Actions run under the control of the calling Workflow (the diagram below depicts a project's `release.yml` workflow calling `MyAction`). + +![action-release](https://github.com/slsa-framework/slsa/assets/64505099/367ecc46-28f6-4029-853e-161a028e6a35) + +To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA Go, Node.js, and Container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the Reusable Workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. + +![action-reusable](https://github.com/slsa-framework/slsa/assets/64505099/a0603e5f-4ebb-4c93-8216-b63f22bcf08d) + +However, this is a lot of work that requires careful design and implementation. That's where the BYOB framework comes in! BYOB offloads all of the security critical work so that you can wrap your Action in a Reusable Workflow and call BYOB to do the heavy lifting. This high-level architecture is depicted in the diagram below: The `MyReusableWorkflow` calls the `BYOBWorkflow` which acts as an orchestrator. + +![BYOB architecture](https://github.com/slsa-framework/slsa/assets/64505099/9d0a8133-ae1a-4b43-b7a1-5090e263eb47) + +There are two main steps to using the BYOB framework. First, the builder (`MyReusableWorkflow`) initializes the BYOB framework (`BYOB_Initialize` box in the middle box). Then it calls the framework (`BYOB_Run` box). Running the framework transfers execution to the BYOB framework which will run the `MyAction` in an isolated environment and then generate provenance. + +Let's see each of these steps in more detail. + +The snippet below shows how the initialization step is performed: the builder `MyReusableWorkflow` initializes the BYOB framework for the ubuntu-latest runner, with a build Action path `MyAction` and asks it to attest to its inputs. At runtime, the BYOB framework will isolate the `MyAction` into an ephemeral VM and run it on an ubuntu-latest runner. The call below returns a so-called "slsa-token" object which can then be used to run the framework itself. + +```yaml +uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@v1.8.0 + with: + ... + slsa-runner-label: "ubuntu-latest" + slsa-build-action-path: "path/to/MyAction" + slsa-workflow-inputs: {% raw %}${{ toJson(inputs) }}{% endraw %} +``` + +The second step is to run the BYOB framework with the initialized "slsa-token": + +```yaml +uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@v1.8.0 + with: + slsa-token: {% raw %}${{ needs.slsa-setup.outputs.slsa-token }}{% endraw %} + secrets: + secret1: {% raw %}${{ inputs.password }}{% endraw %} + secret2: {% raw %}${{ inputs.token }}{% endraw %} +``` + +When the run completes, the BYOB framework will generate a list of attestations for the artifacts indicated by the builder (`MyReusableWorkflow`). More information is available in our [documentation](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md#generation-of-metadata-layout-file). + +## SLSA Java builders for JReleaser, Maven and Gradle + +To validate the design of the BYOB framework and demonstrate its flexibility, we have partnered with new contributors to create three new builders for the [Java ecosystems](https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#builder-creation): + +1. A [JReleaser](https://github.com/jreleaser/release-action/tree/java#slsa-builder) Java builder which wraps the existing [GitHub Action for JReleaser](https://github.com/jreleaser/release-action) into a SLSA3-compliant builder. The integration was done by [aalmiray@](https://github.com/aalmiray), the maintainer of the [JReleaser](https://jreleaser.org) project. The resulting builder is hosted in the same repository as its original [Action](https://github.com/jreleaser/release-action/blob/java/.github/workflows/builder_slsa3.yml), so that JReleaser users can continue using the repositories they are already accustomed to. + +2. A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven#readme), contributed by [Ada Logics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. + +3. A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle#readme), contributed by [Ada Logics](https://adalogics.com). This builder is currently hosted in the OpenSSF SLSA repository. + +These Java builders can publish provenance attestation on Maven central. Additionally, the JReleaser SLSA builder can provide attestation for artifacts published as GitHub release assets and/or uploaded to cloud storage such as AWS S3. Like other builders released by the SLSA Tooling SIG, the provenance can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). + +### Verification of Artifact + +To verify the provenance of an artifact built by the Maven builder, we need to download the artifact and its provenance. In this example, we download them from Maven central. Maven Central lets users browse the files of each release, and from there we can find the artifacts along with their provenance files: + +![Maven provenance link](https://github.com/slsa-framework/slsa/assets/64505099/14ff1de1-a30c-4683-860c-352dc490c1ef) + +The [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) can be used to verify the provenance. The tool verifies the signature on the provenance and the source used to build the artifact, as per the [SLSA specifications](/spec/v1.0/verifying-artifacts). + +```shell +ARTIFACT=test-artifact-0.1.0-jar +ARTIFACT_URL="https://repo1.maven.org/maven2/path/to/${ARTFACT}" +PROVENANCE_URL="${ARTIFACT_URL}".build.slsa +wget "${ARTIFACT_URL}" && wget "${PROVENANCE_URL}" +slsa-verifier verify-artifact "${ARTIFACT}" \ + --provenance-path "${ARTIFACT}.build.slsa" \ + --source-uri github.com/org/repo \ + [--source-tag v1.2.3] +``` + +### Verification of Dependencies + +A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. + +The plugin automatically performs the verification when configured in the ["pom.xml"](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#integrating-it-into-your-maven-build-cycle). Or it may be run [manually](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin#using-the-maven-verification-plugin). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). + +The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, we have built an end-to-end solution for an entire ecosystem. + +## Conclusion + +Thanks to the BYOB framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations! + +If you are a maintainer of an existing GitHub Action, try it out by following the [BYOB documentation](https://github.com/slsa-framework/slsa-github-generator/tree/main#build-your-own-builder) and don't hesitate to report issues or ask questions on the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/issues) repository. + +**Special thanks**: Zach Steindler (GitHub), Ian Lewis, Asra Ali, Appu Goundan (Google) for the help landing this feature (design, reviews, implementation, etc)! From b1c195c6777490340170a52384d9ace7104642f8 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 18 Aug 2023 18:40:14 +0000 Subject: [PATCH 35/36] pushing date by 1 week Signed-off-by: laurentsimon --- ...lder-github.md => 2023-08-28-bring-your-own-builder-github.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/_posts/{2023-08-21-bring-your-own-builder-github.md => 2023-08-28-bring-your-own-builder-github.md} (100%) diff --git a/docs/_posts/2023-08-21-bring-your-own-builder-github.md b/docs/_posts/2023-08-28-bring-your-own-builder-github.md similarity index 100% rename from docs/_posts/2023-08-21-bring-your-own-builder-github.md rename to docs/_posts/2023-08-28-bring-your-own-builder-github.md From 5554f3bee789834ddb82118cb3f92aae71a5c122 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 18 Aug 2023 18:50:58 +0000 Subject: [PATCH 36/36] resize image Signed-off-by: laurentsimon --- docs/_posts/2023-08-28-bring-your-own-builder-github.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/_posts/2023-08-28-bring-your-own-builder-github.md b/docs/_posts/2023-08-28-bring-your-own-builder-github.md index 444e72db0..275c2eadc 100644 --- a/docs/_posts/2023-08-28-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-28-bring-your-own-builder-github.md @@ -25,7 +25,7 @@ The BYOB framework provides a set of GitHub Actions and workflows that helps bui ![action-release](https://github.com/slsa-framework/slsa/assets/64505099/367ecc46-28f6-4029-853e-161a028e6a35) -To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. In fact, this is how the SLSA Go, Node.js, and Container builders work. This option is depicted in the diagram below: The project's `release.yml` calls the Reusable Workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. +To solve this problem, you could turn your Action into a Reusable Workflow. This results in `MyAction` running in a VM under your control, not the caller's control. This option is depicted in the diagram below: The project's `release.yml` calls the Reusable Workflow `MyReusableWorkflow` which in turn calls `MyAction` and generates provenance for the run. ![action-reusable](https://github.com/slsa-framework/slsa/assets/64505099/a0603e5f-4ebb-4c93-8216-b63f22bcf08d) @@ -77,7 +77,7 @@ These Java builders can publish provenance attestation on Maven central. Additio To verify the provenance of an artifact built by the Maven builder, we need to download the artifact and its provenance. In this example, we download them from Maven central. Maven Central lets users browse the files of each release, and from there we can find the artifacts along with their provenance files: -![Maven provenance link](https://github.com/slsa-framework/slsa/assets/64505099/14ff1de1-a30c-4683-860c-352dc490c1ef) +![Maven provenance link](https://github.com/slsa-framework/slsa/assets/64505099/562a945d-df51-4473-9eac-a297779536be) The [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) can be used to verify the provenance. The tool verifies the signature on the provenance and the source used to build the artifact, as per the [SLSA specifications](/spec/v1.0/verifying-artifacts).