hacked in witness support

.github/workflows/release.yml

@@ -0,0 +1,62 @@
+permissions:
+    id-token: write # This is required for requesting the JWT
+    contents: read # This is required for actions/checkout
+
+name: release
+
+
+on:
+    push:
+      branches:
+        - '*'
+jobs:
+    build-entrypoint:
+      runs-on: "ubuntu-22.04"
+
+      steps:
+        - name: Install Go
+          uses: actions/setup-go@v2
+          with:
+            go-version: 1.20.6
+
+        - name: Checkout
+          uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+          with:
+            fetch-depth: 0
+
+
+        - uses: actions/cache@v2
+          with:
+           path: |
+             ~/go/pkg/mod
+             ~/.cache/go-build
+           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+           restore-keys: |
+              ${{ runner.os }}-go-
+
+
+        - name: Setup KO
+          uses: imjasonh/[email protected]
+          env:
+            KO_DOCKER_REPO: ghcr.io/github.com/testifysec/pipeline-entrypoint
+
+        - name: Login to GHCR
+          env:
+            AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }}
+          run: |
+            echo "${AUTH_TOKEN}" | ko login ghcr.io --username dummy --password-stdin
+
+        - name: Build Entrypoint
+          uses: testifysec/[email protected]
+          env:
+            GITHUB_TOKEN: ${{ secrets.AUTH_TOKEN }}
+            GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+            KO_DOCKER_REPO: ghcr.io/github.com/testifysec/pipeline-entrypoint
+          with:
+            enable-sigstore: true
+            enable-archivista: true
+            trace: true
+            step: "build"
+            attestations: "git github oci"
+            command: ko build --tarball entrypoint.tar --sbom-dir . ./cmd/entrypoint
+

.gitignore

@@ -1,3 +1,7 @@
+tmp
+cmd/entrypoint/entrypoint
+
+
 # MacOS file viewer garbage.
 .DS_Store
 

cmd/entrypoint/exitCode

@@ -0,0 +1 @@
+0

cmd/entrypoint/runner.go

@@ -32,8 +32,11 @@ import (
 
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
 	"github.com/tektoncd/pipeline/pkg/pod"
+	"github.com/testifysec/go-witness/log"
 )
 
+const ENABLE_WITNESS = true
+
 // TODO(jasonhall): Test that original exit code is propagated and that
 // stdout/stderr are collected -- needs e2e tests.
 
@@ -82,63 +85,73 @@ func (rr *realRunner) Run(ctx context.Context, args ...string) error {
 	signal.Notify(rr.signals)
 	defer signal.Reset()
 
-	cmd := exec.CommandContext(ctx, name, args...)
+	if ENABLE_WITNESS {
+		log.SetLogger(StdoutStderrLogger{})
 
-	// if a standard output file is specified
-	// create the log file and add to the std multi writer
-	if rr.stdoutPath != "" {
-		stdout, err := newStdLogWriter(rr.stdoutPath)
+		err := withWitness(ctx, append([]string{name}, args...))
 		if err != nil {
 			return err
 		}
-		defer stdout.Close()
-		cmd.Stdout = io.MultiWriter(os.Stdout, stdout)
+
 	} else {
-		cmd.Stdout = os.Stdout
-	}
-	if rr.stderrPath != "" {
-		stderr, err := newStdLogWriter(rr.stderrPath)
-		if err != nil {
-			return err
+		cmd := exec.CommandContext(ctx, name, args...)
+
+		// if a standard output file is specified
+		// create the log file and add to the std multi writer
+		if rr.stdoutPath != "" {
+			stdout, err := newStdLogWriter(rr.stdoutPath)
+			if err != nil {
+				return err
+			}
+			defer stdout.Close()
+			cmd.Stdout = io.MultiWriter(os.Stdout, stdout)
+		} else {
+			cmd.Stdout = os.Stdout
+		}
+		if rr.stderrPath != "" {
+			stderr, err := newStdLogWriter(rr.stderrPath)
+			if err != nil {
+				return err
+			}
+			defer stderr.Close()
+			cmd.Stderr = io.MultiWriter(os.Stderr, stderr)
+		} else {
+			cmd.Stderr = os.Stderr
 		}
-		defer stderr.Close()
-		cmd.Stderr = io.MultiWriter(os.Stderr, stderr)
-	} else {
-		cmd.Stderr = os.Stderr
-	}
-
-	// dedicated PID group used to forward signals to
-	// main process and all children
-	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
 
-	if os.Getenv("TEKTON_RESOURCE_NAME") == "" && os.Getenv(pod.TektonHermeticEnvVar) == "1" {
-		dropNetworking(cmd)
-	}
+		// dedicated PID group used to forward signals to
+		// main process and all children
+		cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
 
-	// Start defined command
-	if err := cmd.Start(); err != nil {
-		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-			return context.DeadlineExceeded
+		if os.Getenv("TEKTON_RESOURCE_NAME") == "" && os.Getenv(pod.TektonHermeticEnvVar) == "1" {
+			dropNetworking(cmd)
 		}
-		return err
-	}
 
-	// Goroutine for signals forwarding
-	go func() {
-		for s := range rr.signals {
-			// Forward signal to main process and all children
-			if s != syscall.SIGCHLD {
-				_ = syscall.Kill(-cmd.Process.Pid, s.(syscall.Signal))
+		// Start defined command
+		if err := cmd.Start(); err != nil {
+			if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+				return context.DeadlineExceeded
 			}
+			return err
 		}
-	}()
 
-	// Wait for command to exit
-	if err := cmd.Wait(); err != nil {
-		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-			return context.DeadlineExceeded
+		// Goroutine for signals forwarding
+		go func() {
+			for s := range rr.signals {
+				// Forward signal to main process and all children
+				if s != syscall.SIGCHLD {
+					_ = syscall.Kill(-cmd.Process.Pid, s.(syscall.Signal))
+				}
+			}
+		}()
+
+		// Wait for command to exit
+		if err := cmd.Wait(); err != nil {
+			if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+				return context.DeadlineExceeded
+			}
+			return err
 		}
-		return err
 	}
 
 	return nil

cmd/entrypoint/test.sh

@@ -0,0 +1,11 @@
+#! /bin/bash
+
+export TEKTON_RESOURCE_NAME=test-step
+export OUT_FILE=./tmp/attestation.json
+
+
+go build .
+mkdir -p ./tmp
+./entrypoint -post_file ./tmp/.out -termination_path ./tmp/term -entrypoint 'echo "hello world"'
+
+cat ./tmp/attestation.json | jq -r .payload | base64 -d | jq