feat: docker input for Bazel Builder and Rebuilder #2602
Conversation
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
enteraga6
requested review from
asraa,
ianlewis,
laurentsimon,
joshuagl and
kpk47
as code owners
| @@ -35,6 +35,11 @@ on: | |||
| required: false | |||
| type: string | |||
| default: "" | |||
| docker-image: | |||
There was a problem hiding this comment.
let's not call it docker, because we can build OCI images without docker. Also, we need a digest:
https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/builder_container-based_slsa3.yml#L62-L74
There was a problem hiding this comment.
Changed. Also added input for digest with a todo for verification of it later. TODO #2630
There was a problem hiding this comment.
I might have misunderstood you. Did you mean to use the digest to verify the image after pulling?
Like: Pull Image, Get Digest of that Image, Compare with Inputted Digest
or
Like: Pull image in form "${BUILDER_IMAGE}@${BUILDER_DIGEST}", that was taken from later on in the link. IIUC, They pull the image based of the digest.
Which did you mean so I can update the issue that tracks this progress accordingly?
There was a problem hiding this comment.
docker pull "${image}@${digest}" should verify the digest
| # # | ||
| ################################################ | ||
|
|
||
| RESET="\033[0m" |
There was a problem hiding this comment.
nit: lower case (linter may complain)
There was a problem hiding this comment.
The linter won't complain but it's best to use lowercase if it's script-local.
|
|
||
| # This directory is where the rebuilt artifacts will be stored. It is made upon | ||
| # running the rebuilder. The long name is to avoid potential collisions. | ||
| rebuilt_artifacts_dir="rebuilt_artifacts_0ffe97cd2693d6608f5a787151950ed8" |
There was a problem hiding this comment.
why not creating a temp directory instead?
There was a problem hiding this comment.
This is created within the user's slsa-github-generator repo. What would be the benefit of the temp directory? I wanted the users to be able to access the rebuilt artifacts and run them, thus why I made this directory within the same directory that they would run the rebuild.sh in.
| @@ -0,0 +1,490 @@ | |||
| #!/bin/bash | |||
| # | |||
| # Copyright 2023 SLSA Authors | |||
There was a problem hiding this comment.
can you separate code that builds provenance, vs code that is utilities (color, etc)? I think we need 2 files.
internal/builders/bazel/rebuilder.sh
Outdated
| if [[ ! ($returnValue) ]] | ||
| then | ||
| my_arg="$ARG" | ||
| printf "${RED}[ERROR] ${LIGHT_RED}%s is unrecognized${RESET}\n" "$my_arg" |
There was a problem hiding this comment.
if we want to use colors, we need to create a print_err function which abstracts away that functionality. Otherwise it's really hard to read
There was a problem hiding this comment.
+1. Maybe a print_err and print_msg which handle the colors would be nice.
internal/builders/bazel/rebuilder.sh
Outdated
| cd ../.. | ||
|
|
||
| # Now cleanup of verifier and cloned $repo_name. | ||
| cleanup |
There was a problem hiding this comment.
@ianlewis how do you feel about this huge script? I'm worried it will be hard to maintain. Shall we use another language?
There was a problem hiding this comment.
I'm not against it. 500 lines isn't that long. But I do think it could be simplified depending on how it's used. Do we need all the command line parsing stuff for example?
@enteraga6 I didn't see where this script was executed? Is it done via the bazel workflow somehow?
There was a problem hiding this comment.
Don't know why I didn't reply to this thread but replied to review instead..
My response down there was:
@ianlewis This script is not executed in a workflow. It is executed on the local machine of the user.
I will switch script to have utils and source it at beginning.
internal/builders/bazel/rebuilder.sh
Outdated
| cd ../.. | ||
|
|
||
| # Now cleanup of verifier and cloned $repo_name. | ||
| cleanup |
There was a problem hiding this comment.
I'm not against it. 500 lines isn't that long. But I do think it could be simplified depending on how it's used. Do we need all the command line parsing stuff for example?
@enteraga6 I didn't see where this script was executed? Is it done via the bazel workflow somehow?
|
@ianlewis This script is not executed in a workflow. It is executed on the local machine of the user. |
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Co-authored-by: Ian Lewis <[email protected]> Signed-off-by: Noah Elzner <[email protected]>
Co-authored-by: Ian Lewis <[email protected]> Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Co-authored-by: Ian Lewis <[email protected]> Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
| @@ -35,6 +35,18 @@ on: | |||
| required: false | |||
| type: string | |||
| default: "" | |||
| env-image: | |||
There was a problem hiding this comment.
let's re-use the naming from the container-based builder for consistency, unless there's a good reason not to
| value: ${{ fromJSON(jobs.slsa-run.outputs.build-artifacts-outputs).artifacts-download-name }} | ||
|
|
||
| artifacts-download-sha256: | ||
| description: "SHA256 of the uploaded tarball of built artifacts." |
There was a problem hiding this comment.
use sha256 lower case like in other description
| description: "SHA256 of the uploaded tarball of built artifacts." | ||
| value: ${{ fromJSON(jobs.slsa-run.outputs.build-artifacts-outputs).artifacts-download-sha256 }} | ||
|
|
||
| artifacts-actual-name: |
There was a problem hiding this comment.
let's be consistent with the name used by other builders
| id: java | ||
| uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 | ||
| with: | ||
| distribution: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-distribution }}" | ||
| java-version: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-version }}" | ||
|
|
||
| - name: Check for Environment Image | ||
| id: env-image |
There was a problem hiding this comment.
why do we need this step? Why can't we simply use if: ${{ fromJson(inputs.slsa-workflow-inputs).env-image == '' }} in the next step?
| shell: bash | ||
| run: | | ||
| set -euo pipefail | ||
| docker pull $UNTRUSTED_ENV_IMAGE |
There was a problem hiding this comment.
double quote missing
| set -euo pipefail | ||
| docker pull $UNTRUSTED_ENV_IMAGE | ||
| curr_dir=$(basename "$(pwd)") | ||
| docker run --rm --env UNTRUSTED_TARGETS=${UNTRUSTED_TARGETS} --env UNTRUSTED_FLAGS=${UNTRUSTED_FLAGS} --env UNTRUSTED_NEEDS_RUNFILES=${UNTRUSTED_NEEDS_RUNFILES} --env UNTRUSTED_INCLUDES_JAVA=${UNTRUSTED_INCLUDES_JAVA} -v $PWD/../:/src -w /src $UNTRUSTED_ENV_IMAGE /bin/sh -c "ls && tree && cd $curr_dir && ls && tree && ./../__TOOL_ACTION_DIR__/build.sh" |
There was a problem hiding this comment.
double quote missing
| shell: bash | ||
| run: | | ||
| set -euo pipefail | ||
| docker pull $UNTRUSTED_ENV_IMAGE |
There was a problem hiding this comment.
is the pull required? Will docker pull automatically as part of docker run?
closes #2377
closes #2630
/cc: @mihaimaruseac @laurentsimon
Adds a feature to input a published docker image to build on top of for the Bazel Builder. Building on top of a docker image allows for reproducible build capabilities. There are now two paths for the Bazel Builder to build: using the docker image, and without, which it was doing before. Both utilize the same build script.
To check, the rebuilder will parse the arguments from the provided provenance and use the attest build process to rebuild the artifact. After the rebuild, it will compare the checksums of the provided artifact at command line to verify if the build was successfully reproducible. The rebuilder can handle every type of build that the original Github Actions Bazel Builder can, with different logic for the three main types of artifacts: java targets, targets with runfiles, and targets without runfiles.
The rebuilder does not have to build on a Docker Image. If the
docker_imageflag is not populated, it will build locally on the machine. If thedocker_imageflag is populated, but the artifact was not built on a docker image (concurred from the provenance parsing), it will also build locally and a warning will show.There is also a verbose flag for a user to see their inputs and the arguments that were parsed out of the provenance.
The rebuilder has flags for verifying the artifact and provenance before rebuilding.
Two main repos are cloned: the source repo specifed as an input to the rebuilder via
--source_uri, and slsa-verifier if--verify flagis present. There are two main usages, rebuilder only or slsa-verifier + rebuilder, which requires the extra input of thebuilder_idflag for the verifier.After completion, the rebuilt artifact will be in a rebuilt artifact directory which has a long random hash at the end to avoid collisions. Something to note is that the entire build process gets repeated since the build arguments are parsed from the provenance. So, if the user builds every target on the GHA, every target will be rebuilt as well, but only the specified target will be copied to the rebuilt artifact directory. If the user only cares about checking the checksums, they can specify the
--cleanupflag which will remove the rebuilt artifact dir, the source repo dir, and the slsa-verifier dir, after the rebuilding process is complete.Documentation on the rebuilder will come in a subsequent PR.
Additionally in this PR, the Bazel Builder workflow has been equipped with more outputs. Added is the sha256 of provenance, and the previously missing name of the binaries directory which will allow users to use this workflow for releases.
Note: I use colorful printf statements that trigger shellcheck. Instead of writing # shellcheck disable=SC2059 over each one I let the warnings persist. I made this decision because they are a lot of printf statements. Also, the warnings are about the environment variables i hardcoded for the colors, not any other environment variable. All other environment variables have been dealt with as SC2059 suggests. SC2059 suggests ignoring the warning with a directive, but that would have cluttered the code.