Skip to content

chore: remove usages of hard-coded provenance build types #1014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 12, 2025
Merged

chore: remove usages of hard-coded provenance build types #1014

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e9f9ee1
chore: remove usages of hard-coded provenance build types
benmss Mar 12, 2025
0f755b8
chore: replace use of build def with class function
benmss Mar 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 17 additions & 22 deletions src/macaron/provenance/provenance_extractor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,38 +149,33 @@ def _extract_from_slsa_v1(payload: InTotoV1Payload) -> tuple[str | None, str | N
logger.debug("No predicate in payload statement.")
return None, None

build_def = json_extract(predicate, ["buildDefinition"], dict)
if not build_def:
return None, None

build_type = json_extract(build_def, ["buildType"], str)
if not build_type:
return None, None
build_def = ProvenancePredicate.find_build_def(payload.statement)

# Extract the repository URL.
match build_type:
case "https://slsa-framework.github.io/gcb-buildtypes/triggered-build/v1":
repo = json_extract(build_def, ["externalParameters", "sourceToBuild", "repository"], str)
if not repo:
repo = json_extract(build_def, ["externalParameters", "configSource", "repository"], str)
case "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1":
repo = json_extract(build_def, ["externalParameters", "workflow", "repository"], str)
case "https://github.com/oracle/macaron/tree/main/src/macaron/resources/provenance-buildtypes/oci/v1":
repo = json_extract(build_def, ["externalParameters", "source"], str)
case _:
logger.debug("Unsupported build type for SLSA v1: %s", build_type)
return None, None
if isinstance(build_def, SLSAGCBBuildDefinitionV1):
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "sourceToBuild", "repository"], str)
if not repo:
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "configSource", "repository"], str)
elif isinstance(build_def, SLSAGithubActionsBuildDefinitionV1):
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "workflow", "repository"], str)
elif isinstance(build_def, SLSAOCIBuildDefinitionV1):
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "source"], str)
else:
logger.debug("Unsupported build type for SLSA v1: %s", type(build_def))
return None, None

if not repo:
logger.debug("Repo URL not found in SLSA v1 payload.")
return None, None

# Extract the commit hash.
commit = None
if build_type == "https://github.com/oracle/macaron/tree/main/src/macaron/resources/provenance-buildtypes/oci/v1":
commit = json_extract(build_def, ["internalParameters", "buildEnvVar", "BLD_COMMIT_HASH"], str)
if isinstance(build_def, SLSAOCIBuildDefinitionV1):
commit = json_extract(
predicate, ["buildDefinition", "internalParameters", "buildEnvVar", "BLD_COMMIT_HASH"], str
)
else:
deps = json_extract(build_def, ["resolvedDependencies"], list)
deps = json_extract(predicate, ["buildDefinition", "resolvedDependencies"], list)
if not deps:
return repo, None
for dep in deps:
Expand Down
Loading