forked from denoland/deno
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(publish): ensure provenance is spec compliant (denoland#25200)
Fixes: denoland#25199 Ensures that for the SLSA provenance document generated on publishing, `subject` is an array of ResourceDescriptor objects per the in-toto specification [requirements](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md#fields). --------- Signed-off-by: Bob Callaway <[email protected]>
- Loading branch information
1 parent
b536ed1
commit 3a63572
Showing
2 changed files
with
15 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -229,16 +229,16 @@ impl Predicate { | |
| struct ProvenanceAttestation { | ||
| #[serde(rename = "type")] | ||
| _type: &'static str, | ||
| subject: Subject, | ||
| subject: Vec<Subject>, | ||
| predicate_type: &'static str, | ||
| predicate: Predicate, | ||
| } | ||
|
|
||
| impl ProvenanceAttestation { | ||
| pub fn new_github_actions(subject: Subject) -> Self { | ||
| pub fn new_github_actions(subjects: Vec<Subject>) -> Self { | ||
| Self { | ||
| _type: INTOTO_STATEMENT_TYPE, | ||
| subject, | ||
| subject: subjects, | ||
| predicate_type: SLSA_PREDICATE_TYPE, | ||
| predicate: Predicate::new_github_actions(), | ||
| } | ||
|
|
@@ -296,7 +296,7 @@ pub struct ProvenanceBundle { | |
|
|
||
| pub async fn generate_provenance( | ||
| http_client: &HttpClient, | ||
| subject: Subject, | ||
| subjects: Vec<Subject>, | ||
| ) -> Result<ProvenanceBundle, AnyError> { | ||
| if !is_gha() { | ||
| bail!("Automatic provenance is only available in GitHub Actions"); | ||
|
|
@@ -308,7 +308,7 @@ pub async fn generate_provenance( | |
| ); | ||
| }; | ||
|
|
||
| let slsa = ProvenanceAttestation::new_github_actions(subject); | ||
| let slsa = ProvenanceAttestation::new_github_actions(subjects); | ||
|
|
||
| let attestation = serde_json::to_string(&slsa)?; | ||
| let bundle = attest(http_client, &attestation, INTOTO_PAYLOAD_TYPE).await?; | ||
|
|
@@ -738,8 +738,13 @@ mod tests { | |
| sha256: "yourmom".to_string(), | ||
| }, | ||
| }; | ||
| let slsa = ProvenanceAttestation::new_github_actions(subject); | ||
| assert_eq!(slsa.subject.name, "jsr:@divy/[email protected]"); | ||
| assert_eq!(slsa.subject.digest.sha256, "yourmom"); | ||
| let slsa = ProvenanceAttestation::new_github_actions(vec![subject]); | ||
| assert_eq!( | ||
| slsa.subject.len(), | ||
| 1, | ||
| "Subject should be an array per the in-toto specification" | ||
| ); | ||
| assert_eq!(slsa.subject[0].name, "jsr:@divy/[email protected]"); | ||
| assert_eq!(slsa.subject[0].digest.sha256, "yourmom"); | ||
| } | ||
| } | ||