POC adding bcr provenance gen to slsa-verifier

builder-is must be specified on the command line for the bazel builders

release-workflow: https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml
publish-workflow: https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

verifiers/internal/gha/slsaprovenance/common/builders.go

@@ -23,4 +23,9 @@ var (
 	GenericDelegatorBuilderID = trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml"
 	// GenericLowPermsDelegatorBuilderID is the SLSA builder ID for the BYOB Generic Low-Permissions Delegated Builder.
 	GenericLowPermsDelegatorBuilderID = trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml"
+
+	// BCRReleaseBuilderID is the bcr reusable workflow that generates provenance for a ruleset release.
+	BCRReleaserBuilderID = "https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml"
+	// BCRPublisherBuilderID is the bcr reusable workflow that generates BCR repository metadata for a ruleset.
+	BCRPublisherBuilderID = "https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml"
 )

verifiers/internal/gha/slsaprovenance/common/buildtypes.go

@@ -24,6 +24,8 @@ var (
 
 	// NpmCLIGithubActionsBuildTypeV1 is the buildType for provenance by the npm cli from GitHub Actions.
 	NpmCLIGithubActionsBuildTypeV1 = "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1"
+
+	GithubActionsBuildTypeV1 = "https://actions.github.io/buildtypes/workflow/v1"
 )
 
 // Legacy buildTypes.

verifiers/internal/gha/slsaprovenance/v1.0/github_attest.go

@@ -0,0 +1,36 @@
+package v1
+
+import (
+	"fmt"
+
+	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+)
+
+// GithubAttestBuildType is the build type for the github attest based builder
+var GithubAttestBuildType = "https://actions.github.io/buildtypes/workflow/v1"
+
+// GithubAttestProvenance is provenance generated by an action using github's attest action
+type GithubAttestProvenance struct {
+	*provenanceV1
+}
+
+func (p *GithubAttestProvenance) TriggerURI() (string, error) {
+	externalParams, err := p.getExternalParameters()
+	if err != nil {
+		return "", err
+	}
+	workflow, ok := externalParams["workflow"].(map[string]interface{})
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters")
+	}
+	repository, ok := workflow["repository"].(string)
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters: repository")
+	}
+	ref, ok := workflow["ref"].(string)
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters: ref")
+	}
+	uri := fmt.Sprintf("git+%s@%s", repository, ref)
+	return uri, nil
+}

verifiers/internal/gha/slsaprovenance/v1.0/provenance.go

@@ -50,12 +50,22 @@ func newNpmCLIGithubActions(a *Attestation) iface.Provenance {
 	}
 }
 
+func newGithubAttest(a *Attestation) iface.Provenance {
+	return &GithubAttestProvenance{
+		provenanceV1: &provenanceV1{
+			prov: a,
+		},
+	}
+}
+
 // buildTypeMap is a map of builder IDs to supported buildTypes.
 var buildTypeMap = map[string]map[string]provFunc{
 	common.GenericDelegatorBuilderID:         {common.BYOBBuildTypeV0: newBYOB},
 	common.GenericLowPermsDelegatorBuilderID: {common.BYOBBuildTypeV0: newBYOB},
 	common.ContainerBasedBuilderID:           {common.ContainerBasedBuildTypeV01Draft: newContainerBased},
 	common.NpmCLIHostedBuilderID:             {common.NpmCLIGithubActionsBuildTypeV1: newNpmCLIGithubActions},
+	common.BCRReleaserBuilderID:              {common.GithubActionsBuildTypeV1: newGithubAttest},
+	common.BCRPublisherBuilderID:             {common.GithubActionsBuildTypeV1: newGithubAttest},
 }
 
 // New returns a new Provenance object based on the payload.