slsa-framework · pieterlexis · Sep 29, 2021
diff --git a/.github/workflows/example-local.yml b/.github/workflows/example-local.yml
@@ -12,11 +12,21 @@ jobs:
       - name: Create artifact
         run:  echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt
 
+      # traditionally, the build code would generate this
+      - name: Create extra materials
+        run: |
+          echo '[{"uri": "pkg:deb/debian/[email protected]?arch=amd64", "digest": {"sha256": "e1731ae217fcbc64d4c00d707dcead45c828c5f762bcf8cc56d87de511e096fa"}}]' > extra-materials
+
       - name: Upload artifact
         uses: actions/upload-artifact@v2
         with:
           path: salsa.txt
 
+      - name: Upload extra materials
+        uses: actions/upload-artifact@v2
+        with:
+          path: extra-materials
+
   generate-provenance:
     needs: build
     name: Generate build provenance
@@ -34,6 +44,7 @@ jobs:
         uses: ./
         with:
           artifact_path: artifact/
+          extra_material: '["artifact/extra-materials"]'
 
       - name: Upload provenance
         uses: actions/upload-artifact@v2

diff --git a/action.yaml b/action.yaml
@@ -19,6 +19,9 @@ inputs:
     description: 'internal (do not set): the "runner" context object in json'
     required: true
     default: ${{ toJSON(runner) }}
+  extra_material:
+    description: 'Paths to JSON files with extra materials for inclusion into the provenance'
+    default: '[]'
 runs:
   using: 'docker'
   image: 'Dockerfile'
@@ -31,3 +34,5 @@ runs:
     - '${{ inputs.github_context }}'
     - "--runner_context"
     - '${{ inputs.runner_context }}'
+    - "--extra_material"
+    - '${{ inputs.extra_material }}'
diff --git a/create_provenance.go b/create_provenance.go
@@ -25,6 +25,7 @@ var (
 	outputPath    = flag.String("output_path", "build.provenance", "The path to which the generated provenance should be written.")
 	githubContext = flag.String("github_context", "", "The '${github}' context value.")
 	runnerContext = flag.String("runner_context", "", "The '${runner}' context value.")
+	extraMaterial = flag.String("extra_material", "", "Files with extra materials as in-toto data to add.")
 )
 
 type Envelope struct {
@@ -166,6 +167,18 @@ func parseFlags() {
 	}
 }
 
+func getExtraMaterials(filename string) ([]Item, error) {
+	content, err := ioutil.ReadFile(filename)
+	var ret []Item
+	if err != nil {
+		return ret, err
+	}
+	if err = json.Unmarshal(content, &ret); err != nil {
+		return ret, err
+	}
+	return ret, nil
+}
+
 func main() {
 	parseFlags()
 	stmt := Statement{PredicateType: "https://slsa.dev/provenance/v0.1", Type: "https://in-toto.io/Statement/v0.1"}
@@ -202,6 +215,10 @@ func main() {
 	if err := json.Unmarshal([]byte(*runnerContext), &context.RunnerContext); err != nil {
 		panic(err)
 	}
+	var extraMaterials []string
+	if err := json.Unmarshal([]byte(*extraMaterial), &extraMaterials); err != nil {
+		panic(err)
+	}
 	gh := context.GitHubContext
 	// Remove access token from the generated provenance.
 	context.GitHubContext.Token = ""
@@ -217,6 +234,13 @@ func main() {
 	}
 	stmt.Predicate.Recipe.Arguments = event.Inputs
 	stmt.Predicate.Materials = append(stmt.Predicate.Materials, Item{URI: "git+" + repoURI, Digest: DigestSet{"sha1": gh.SHA}})
+	for _, filename := range extraMaterials {
+		infos, err := getExtraMaterials(filename)
+		if err != nil {
+			panic(err)
+		}
+		stmt.Predicate.Materials = append(stmt.Predicate.Materials, infos...)
+	}
 	if os.Getenv("GITHUB_ACTIONS") == "true" {
 		stmt.Predicate.Builder.Id = repoURI + GitHubHostedIdSuffix
 	} else {