Haskell provenance (slsa-framework#595)

mihaimaruseac · laurentsimon · web-flow · commit 0f97cca414ee · 2022-07-20T16:22:05.000Z
* Add provenance for Haskell. Allows using either Stack or Cabal build tools Tested via example repo ([Cabal](https://github.com/mihaimaruseac/slsa-lvl3-generic-provenance-in-haskell-example/blob/v0.0.1.1/.github/workflows/ci.yaml), [Stack](https://github.com/mihaimaruseac/slsa-lvl3-generic-provenance-in-haskell-example/blob/v0.0.1.0/.github/workflows/ci.yaml)). Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Fix off-by-one counting errors Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Remove trailing whitespace Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Remove the build id step as it is not needed Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Update README.md Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
@@ -29,6 +29,7 @@ project simply generates provenance as a separate step in an existing workflow.
   - [Provenance for Bazel](#provenance-for-bazel)
   - [Provenance for Java](#provenance-for-java)
   - [Provenance for Rust](#provenance-for-rust)
+  - [Provenance for Haskell](#provenance-for-haskell)
 
 ---
 
@@ -351,7 +352,7 @@ jobs:
 ### Provenance for Bazel
 
 If you use [Bazel](https://bazel.build/) to generate your artifacts, you can
-easily generate SLSA3 provenance by updating your existing workflow with the 4
+easily generate SLSA3 provenance by updating your existing workflow with the 5
 steps indicated in the workflow below:
 
 ```yaml
@@ -462,7 +463,7 @@ jobs:
         run: |
           # Your normal build workflow targets here
           mvn clean package
-          
+
           # ======================================================
           #
           # Step 3: Save the location of the maven output files
@@ -484,7 +485,7 @@ jobs:
         id: hash
         run: |
           echo "::set-output name=hashes::$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)"
-      
+
       - name: Upload build artifacts
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
@@ -541,7 +542,7 @@ jobs:
 
       # ========================================================
       #
-      # Step 4: Add a step to generate the provenance subjects
+      # Step 3: Add a step to generate the provenance subjects
       #         as shown below. Update the sha256 sum arguments
       #         to include all binaries that you generate
       #         provenance for.
@@ -553,7 +554,7 @@ jobs:
         id: hash
         run: |
           echo "::set-output name=hashes::$(sha256sum ./build/libs/* | base64 -w0)"
-      
+
       - name: Upload build artifacts
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
@@ -563,7 +564,7 @@ jobs:
 
   # =========================================================
   #
-  # Step 5: Call the generic workflow to generate provenance
+  # Step 4: Call the generic workflow to generate provenance
   #         by declaring the job below.
   #
   # =========================================================
@@ -616,7 +617,7 @@ jobs:
 
       # ========================================================
       #
-      # Step 4: Add a step to generate the provenance subjects
+      # Step 3: Add a step to generate the provenance subjects
       #         as shown below. Update the sha256 sum arguments
       #         to include all binaries that you generate
       #         provenance for.
@@ -631,7 +632,75 @@ jobs:
 
   # =========================================================
   #
-  # Step 5: Call the generic workflow to generate provenance
+  # Step 4: Call the generic workflow to generate provenance
+  #         by declaring the job below.
+  #
+  # =========================================================
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true # Optional: Upload to a new release
+```
+
+### Provenance for Haskell
+
+If you use [Haskell](https://www.haskell.org/) (either via
+[`cabal`](https://www.haskell.org/cabal/) or
+[`stack`](https://docs.haskellstack.org/en/stable/README/)) to generate your
+artifacts, you can easily generate SLSA3 provenance by updating your existing
+workflow with the steps indicated in the workflow below.
+
+```yaml
+jobs:
+  build:
+    # ==================================================
+    #
+    # Step 1: Declare an `outputs` for the hashes to be
+    #         used during the provenance steps.
+    #
+    # ==================================================
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+    [...]
+
+    steps:
+      [...]
+      - name: Build using Haskell
+        run: |
+          # Your normal build workflow targets here.
+          cabal build   # or stack build
+
+          # Copy the binary to the root directory for easier reference
+          # For Cabal, use the following command
+          cp $(cabal list-bin .) .
+          # For Stack, use the following command instead
+          # cp $(stack path --local-install-root)/bin/target_binary .
+
+      # ========================================================
+      #
+      # Step 2: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject
+        id: hash
+        run: |
+          set -euo pipefail
+
+          echo "::set-output name=hashes::$(sha256sum target_binary | base64 -w0)"
+
+  # =========================================================
+  #
+  # Step 3: Call the generic workflow to generate provenance
   #         by declaring the job below.
   #
   # =========================================================
