[feature][byob] Re-visit workflow structure

slsa-framework / slsa-github-generator

Language-agnostic SLSA provenance generation for Github Actions

Apache License 2.0

394 stars 118 forks source link

[feature][byob] Re-visit workflow structure #2077

Open laurentsimon opened 1 year ago

laurentsimon commented 1 year ago

In the v1.0, we may leave

 workflow: {
          ref: rawTokenObj.github.ref,
          repository: rawTokenObj.github.repository,
          path: getWorkflowPath(rawTokenObj.github),
        },

blank, because:

The interface to our builder has nothing to do with this workflow
The trigger workflow is present in the env variables anyway, in case someone wants to know about it

laurentsimon commented 1 year ago

/cc @asraa relevant to the discussion in https://github.com/slsa-framework/slsa-verifier/issues/610. Let's keep this usse for tracking the update to docker-based builder and the BYOB builders.

We tentatively agreed in the other issue to keep the workflow but move it under internalParameters for builders. Generators will need to keep the workflow in externalParameters. Probably we need a new bool input to the verify-token indicating if the call is for a generator or a builder.

laurentsimon commented 1 year ago

Given that there's already GITHUB_WORKFLOW_REF recorded in the internalParameters, I think we can drop the workflow entirely if it's a builder.