docker-attest-build-provenance/packages/attest/dist/provenance.js

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.generateProvenance = exports.generateProvenancePredicate = exports.SLSA_PREDICATE_V1_TYPE = void 0;
const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1';
exports.SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1';
const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner';
const GITHUB_BUILD_TYPE = 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1';
const generateProvenancePredicate = (env) => {
    const workflow = env.GITHUB_WORKFLOW_REF || /* istanbul ignore next */ '';
    // Split just the path and ref from the workflow string.
    // owner/repo/.github/workflows/main.yml@main =>
    //   .github/workflows/main.yml, main
    const [workflowPath, workflowRef] = workflow
        .replace(`${env.GITHUB_REPOSITORY}/`, '')
        .split('@');
    return {
        type: exports.SLSA_PREDICATE_V1_TYPE,
        params: {
            buildDefinition: {
                buildType: GITHUB_BUILD_TYPE,
                externalParameters: {
                    workflow: {
                        ref: workflowRef,
                        repository: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}`,
                        path: workflowPath
                    }
                },
                internalParameters: {
                    github: {
                        event_name: env.GITHUB_EVENT_NAME,
                        repository_id: env.GITHUB_REPOSITORY_ID,
                        repository_owner_id: env.GITHUB_REPOSITORY_OWNER_ID
                    }
                },
                resolvedDependencies: [
                    {
                        uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
                        digest: {
                            gitCommit: env.GITHUB_SHA
                        }
                    }
                ]
            },
            runDetails: {
                builder: {
                    id: `${GITHUB_BUILDER_ID_PREFIX}/${env.RUNNER_ENVIRONMENT}`
                },
                metadata: {
                    invocationId: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}/actions/runs/${env.GITHUB_RUN_ID}/attempts/${env.GITHUB_RUN_ATTEMPT}`
                }
            }
        }
    };
};
exports.generateProvenancePredicate = generateProvenancePredicate;
const generateProvenance = (subject, env) => {
    const predicate = (0, exports.generateProvenancePredicate)(env);
    return {
        _type: INTOTO_STATEMENT_V1_TYPE,
        subject: [subject],
        predicateType: predicate.type,
        predicate: predicate.params
    };
};
exports.generateProvenance = generateProvenance;