From 4d1576b7ad47ce8739dad0fc1e22a1e249ef19d7 Mon Sep 17 00:00:00 2001 From: Chasen Bettinger Date: Sun, 16 Apr 2023 10:59:02 -0400 Subject: [PATCH 1/5] docs: Add example for using GCP Workload Identity This closes #1732. Signed-off-by: Chasen Bettinger --- internal/builders/container/README.md | 120 ++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index a4a25fc94a..9443e72942 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -21,6 +21,7 @@ project simply generates provenance as a separate step in an existing workflow. - [Benefits of Provenance](#benefits-of-provenance) - [Generating Provenance](#generating-provenance) - [Getting Started](#getting-started) + - [With GCP Artifact Registry](#with-gcp-artifact-registry) - [Referencing the SLSA generator](#referencing-the-slsa-generator) - [Private Repositories](#private-repositories) - [Supported Triggers](#supported-triggers) @@ -152,6 +153,125 @@ jobs: registry-password: ${{ secrets.GITHUB_TOKEN }} ``` +#### With GCP Artifact Registry + +The following is an example of pushing an image Artifact Registry in GCP and generating the provenance for that image. In order for you to run this example, you will need to have a [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) that enables you to exchange a GitHub token for access within GCP. If you have not yet created one or have not created a provider within your existing federation for GitHub, please review the following resources: + +- https://gist.github.com/palewire/12c4b2b974ef735d22da7493cf7f4d37 +- https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions + +Once you have a Workload Identity Federation with a GitHub provider, you're ready to begin implementing the GitHub Action below. + +```yaml +env: + IMAGE_NAME: ${{ github.repository }} + # FORMAT: + # {region}-docker.pkg.dev/{project-id}/{artifact-registry-name} + # EXAMPLE: + # northamerica-northeast1-docker.pkg.dev/blank-check-231234/your-repository + REPOSITORY_PATH: ${{ vars.REPOSITORY_PATH }} + # EXAMPLE: + # projects/123123412578/locations/global/workloadIdentityPools/my-pool/providers/my-provider + WORKLOAD_IDENTITY_PROVIDER: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + # EXAMPLE: + # my-service-account@blank-check-231234.iam.gserviceaccount.com + SERVICE_ACCOUNT: ${{ vars.SERVICE_ACCOUNT }} + +on: [push] + +jobs: + # This step builds our image, pushes it, and outputs the repo hash digest. + build: + permissions: + contents: read + packages: write + id-token: write + outputs: + image: ${{ steps.image.outputs.image }} + digest: ${{ steps.build.outputs.digest }} + workload_identity_provider: ${{ steps.idprov.outputs.widp }} + service_account: ${{ steps.sa.outputs.sa }} + runs-on: ubuntu-latest + steps: + - name: Checkout the repository + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0 + + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v1.0.0' + with: + token_format: 'access_token' + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.SERVICE_ACCOUNT }} + + - name: Authenticate Docker + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 + with: + registry: northamerica-northeast1-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1 + with: + images: ${{ vars.REPOSITORY_PATH }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # v3.0.0 + id: build + with: + push: true + tags: | + ${{ steps.meta.outputs.tags }} + ${{ vars.REPOSITORY_PATH }}/${{ env.IMAGE_NAME }}:latest + labels: ${{ steps.meta.outputs.labels }} + + - name: Output image + id: image + run: | + # NOTE: Set the image as an output because the `env` context is not + # available to the inputs of a reusable workflow call. + image_name="${REPOSITORY_PATH}/${IMAGE_NAME}" + echo image=$image_name >> "$GITHUB_OUTPUT" + + - name: Output workload_identity_provider + id: idprov + run: | + workload_identity_provider=${WORKLOAD_IDENTITY_PROVIDER} + echo widp=$workload_identity_provider >> "$GITHUB_OUTPUT" + + - name: Output service_account + id: sa + run: | + service_account=${SERVICE_ACCOUNT} + echo sa=$service_account >> "$GITHUB_OUTPUT" + + # This step calls the container workflow to generate provenance and push it to + # the container registry. + provenance: + needs: [build] + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 + with: + image: ${{ needs.build.outputs.image }} + digest: ${{ needs.build.outputs.digest }} + gcp-workload-identity-provider: ${{ needs.build.outputs.workload_identity_provider }} + gcp-service-account: ${{ needs.build.outputs.service_account }} + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + +``` + +NOTE: There are existing challenges with using secrets in reusable workflows. Due to these problems, you will likely need to use unencrypted environment variables. To learn more: https://github.com/orgs/community/discussions/17554 and https://colinsalmcorner.com/consuming-environment-secrets-in-reusable-workflows/. + ### Referencing the SLSA generator At present, the generator **MUST** be referenced From e0924ef024f6ecfaac48fc15fc1ee7076511a210 Mon Sep 17 00:00:00 2001 From: Chasen Bettinger Date: Sun, 16 Apr 2023 11:05:46 -0400 Subject: [PATCH 2/5] fix: Resolve grammatical error Signed-off-by: Chasen Bettinger --- internal/builders/container/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 9443e72942..9fdaadc504 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -155,7 +155,7 @@ jobs: #### With GCP Artifact Registry -The following is an example of pushing an image Artifact Registry in GCP and generating the provenance for that image. In order for you to run this example, you will need to have a [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) that enables you to exchange a GitHub token for access within GCP. If you have not yet created one or have not created a provider within your existing federation for GitHub, please review the following resources: +The following is an example of pushing an image to an Artifact Registry in GCP and generating the provenance for that image. In order for you to run this example, you will need to have a [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) that enables you to exchange a GitHub token for access within GCP. If you have not yet created one or have not created a provider within your existing federation for GitHub, please review the following resources: - https://gist.github.com/palewire/12c4b2b974ef735d22da7493cf7f4d37 - https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions From 42c2a1bddf5a8a944e98f93e3984f16e5c8bc6de Mon Sep 17 00:00:00 2001 From: Chasen Bettinger Date: Sun, 16 Apr 2023 11:06:59 -0400 Subject: [PATCH 3/5] fix: Add reference to GCP Workload Identity page Signed-off-by: Chasen Bettinger --- internal/builders/container/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 9fdaadc504..3a1d540eec 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -155,7 +155,7 @@ jobs: #### With GCP Artifact Registry -The following is an example of pushing an image to an Artifact Registry in GCP and generating the provenance for that image. In order for you to run this example, you will need to have a [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) that enables you to exchange a GitHub token for access within GCP. If you have not yet created one or have not created a provider within your existing federation for GitHub, please review the following resources: +The following is an example of pushing an image to an [Artifact Registry](https://cloud.google.com/artifact-registry) in GCP and generating the provenance for that image. In order for you to run this example, you will need to have a [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) that enables you to exchange a GitHub token for access within GCP. If you have not yet created one or have not created a provider within your existing federation for GitHub, please review the following resources: - https://gist.github.com/palewire/12c4b2b974ef735d22da7493cf7f4d37 - https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions From 63b0bef4f6a5e532652c51593224eebf8b4568e8 Mon Sep 17 00:00:00 2001 From: Chasen Bettinger Date: Tue, 18 Apr 2023 09:51:38 -0400 Subject: [PATCH 4/5] docs: Adjust docs based on PR feedback Signed-off-by: Chasen Bettinger --- internal/builders/container/README.md | 38 ++++++++++----------------- 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 3a1d540eec..331198d002 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -157,11 +157,21 @@ jobs: The following is an example of pushing an image to an [Artifact Registry](https://cloud.google.com/artifact-registry) in GCP and generating the provenance for that image. In order for you to run this example, you will need to have a [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) that enables you to exchange a GitHub token for access within GCP. If you have not yet created one or have not created a provider within your existing federation for GitHub, please review the following resources: -- https://gist.github.com/palewire/12c4b2b974ef735d22da7493cf7f4d37 -- https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions +- [Setting up Workload Identity Federation](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +- [Enabling keyless authentication from GitHub Actions](https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions) Once you have a Workload Identity Federation with a GitHub provider, you're ready to begin implementing the GitHub Action below. +Friendly reminder to set the following environment variables in your GitHub settings: +```bash + # EXAMPLE: + # projects/123123412578/locations/global/workloadIdentityPools/my-pool/providers/my-provider + WORKLOAD_IDENTITY_PROVIDER= + # EXAMPLE: + # my-service-account@blank-check-231234.iam.gserviceaccount.com + SERVICE_ACCOUNT= +``` + ```yaml env: IMAGE_NAME: ${{ github.repository }} @@ -170,12 +180,6 @@ env: # EXAMPLE: # northamerica-northeast1-docker.pkg.dev/blank-check-231234/your-repository REPOSITORY_PATH: ${{ vars.REPOSITORY_PATH }} - # EXAMPLE: - # projects/123123412578/locations/global/workloadIdentityPools/my-pool/providers/my-provider - WORKLOAD_IDENTITY_PROVIDER: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} - # EXAMPLE: - # my-service-account@blank-check-231234.iam.gserviceaccount.com - SERVICE_ACCOUNT: ${{ vars.SERVICE_ACCOUNT }} on: [push] @@ -189,8 +193,6 @@ jobs: outputs: image: ${{ steps.image.outputs.image }} digest: ${{ steps.build.outputs.digest }} - workload_identity_provider: ${{ steps.idprov.outputs.widp }} - service_account: ${{ steps.sa.outputs.sa }} runs-on: ubuntu-latest steps: - name: Checkout the repository @@ -238,18 +240,6 @@ jobs: image_name="${REPOSITORY_PATH}/${IMAGE_NAME}" echo image=$image_name >> "$GITHUB_OUTPUT" - - name: Output workload_identity_provider - id: idprov - run: | - workload_identity_provider=${WORKLOAD_IDENTITY_PROVIDER} - echo widp=$workload_identity_provider >> "$GITHUB_OUTPUT" - - - name: Output service_account - id: sa - run: | - service_account=${SERVICE_ACCOUNT} - echo sa=$service_account >> "$GITHUB_OUTPUT" - # This step calls the container workflow to generate provenance and push it to # the container registry. provenance: @@ -262,8 +252,8 @@ jobs: with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} - gcp-workload-identity-provider: ${{ needs.build.outputs.workload_identity_provider }} - gcp-service-account: ${{ needs.build.outputs.service_account }} + gcp-workload-identity-provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + gcp-service-account: ${{ vars.SERVICE_ACCOUNT }} registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} From 8d561534ccf7f1015bade94f1ca0dc0d07092896 Mon Sep 17 00:00:00 2001 From: Chasen Bettinger Date: Tue, 18 Apr 2023 13:08:17 -0400 Subject: [PATCH 5/5] docs: Add link to setting GitHub env variables Signed-off-by: Chasen Bettinger --- internal/builders/container/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 331198d002..d181e42feb 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -162,7 +162,7 @@ The following is an example of pushing an image to an [Artifact Registry](https: Once you have a Workload Identity Federation with a GitHub provider, you're ready to begin implementing the GitHub Action below. -Friendly reminder to set the following environment variables in your GitHub settings: +Friendly reminder to [set the following environment variables](https://docs.github.com/en/actions/learn-github-actions/variables) in your GitHub settings: ```bash # EXAMPLE: # projects/123123412578/locations/global/workloadIdentityPools/my-pool/providers/my-provider