Open laurentsimon opened 1 year ago
I propose to have an a new input to the SRW that takes a "list", maybe mask-inputs: name1, name2, name3
?
Wdut?
/cc @asraa @ianlewis
I propose to have an a new input to the SRW that takes a "list", maybe
mask-inputs: name1, name2, name3
?Wdut?
/cc @asraa @ianlewis
We'll have to instruct TRW authors to use it but yeah, that's probably fine.
I'll start adding this feature then.
Are these fields in the GitHub context? I worry that we won't have uniform conformence of the produced provenance, which is fine because it's TRW controlled.
But are you thinking our implementation of the npm one will mask-inputs
, rather than us masking usernames by default?
It's a cool solution, just wondering.
Because we can publish the github context and say these fields exist, mask anything you don't like.
(Curious about the variable event payload as well, but as long as we can document the provenance content it's OK)
So there are 2 aspects:
***
:inputs:
username:
...
uses: slsa-framework/delegator.yml
with:
slsa-inputs: ${{ toJson(inputs) }}
slsa-mask-inputs: username, <something-else>
Let me know if that makes sense or not.
Sorry, I was not clear in the original description
See comment https://github.com/slsa-framework/slsa-github-generator/issues/1410#issuecomment-1431615223
We need a way to omit the plaintext "masked" inputs from the token, so that they are not recorded by Rekor. I think there's a way to do that
This issue was reopened by the todo-issue-reopener action in the "TODO Issue Reopener" GitHub Actions workflow because there are TODOs referencing this issue:
Fields like usernames should be omitted from the provenance. We can't have them be secrets because it would cause the GitHub masking engine to detect secrets when there is a match with a sha we use for uploading / download artifacts.