Integration test

.github/workflows/integration.yml

@@ -0,0 +1,25 @@
+name: Integration test for e2e flow
+on: [pull_request, workflow_dispatch]
+
+permissions: read-all
+
+jobs:
+  args:
+    runs-on: ubuntu-latest
+    outputs:
+      ldflags: ${{ steps.ldflags.outputs.value }}
+    steps:
+      - id: ldflags
+        run: |
+          echo "::set-output name=value::-X main.gitVersion=v1.2.3 -X main.gitSomething=somthg"
+
+  integration:
+    permissions:
+      id-token: write
+      contents: read
+    needs: args
+    uses: ./.github/workflows/slsa-builder-go.yml
+    with:
+      go-version: 1.17
+      #TODO: make this a json/yaml object object
+      env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"

.github/workflows/slsa-builder-go.yml

@@ -9,7 +9,7 @@ env:
   BUILDER_BINARY: builder
   PROVENANCE_BINARY: provenance
   BUILDER_REPOSITORY: asraa/slsa-on-github
-  BUILDER_REF: main
+  BUILDER_REF: e2e-test
 
 ###################################################################
 #                                                                 #
@@ -178,10 +178,16 @@ jobs:
 
       - name: Download dependencies
         shell: bash
+        env:
+          BUILDER_BINARY: "${{ env.BUILDER_BINARY }}"
+          GOPATH: "${{ env.GOPATH }}"
+
         run: |
           set -euo pipefail
-          go mod vendor
 
+          echo "./$BUILDER_BINARY" -vendor ./releaser.yml
+          ./"$BUILDER_BINARY" -vendor ./releaser.yml
+
       # TODO(hermeticity) OS-level.
       # - name: Disable hermeticity
       # uses: slsa/hermeticity@xxx
@@ -194,12 +200,9 @@ jobs:
         env:
           BUILDER_BINARY: "${{ env.BUILDER_BINARY }}"
           UNTRUSTED_ENVS: "${{ inputs.env }}"
-          UNTRUSTED_WORKING_DIR: "${{ inputs.working-dir }}"
         run: |
           set -euo pipefail
 
-          # TODO: pass UNTRUSTED_WORKING_DIR to builder, which will use realpath()
-          # to compute the actual directory.
           echo "./$BUILDER_BINARY" ./releaser.yml "$UNTRUSTED_ENVS"
           ./"$BUILDER_BINARY" ./releaser.yml "$UNTRUSTED_ENVS"
 

build-go/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"flag"
 	"fmt"
 	"os"
 	"os/exec"
@@ -9,7 +10,7 @@ import (
 )
 
 func usage(p string) {
-	panic(fmt.Sprintf("Usage: %s <config.yml> <env1:val1,env2:val2>\n", p))
+	panic(fmt.Sprintf("Usage: %s <flags> <config.yml> <env1:val1,env2:val2>\n", p))
 }
 
 func check(e error) {
@@ -19,22 +20,31 @@ func check(e error) {
 }
 
 func main() {
-	if len(os.Args) <= 2 {
+	vendor := flag.Bool("vendor", false, "vendor dependencies")
+	flag.Parse()
+
+	if len(flag.Args()) < 1 {
 		usage(os.Args[0])
 	}
+
 	goc, err := exec.LookPath("go")
 	check(err)
 
-	cfg, err := pkg.ConfigFromFile(os.Args[1])
+	cfg, err := pkg.ConfigFromFile(flag.Args()[0])
 	check(err)
 	fmt.Println(cfg)
 
 	gobuild := pkg.GoBuildNew(goc, cfg)
 
 	// Set env variables encoded as arguments.
-	err = gobuild.SetArgEnvVariables(os.Args[2])
+	err = gobuild.SetArgEnvVariables(flag.Args()[1:])
 	check(err)
 
-	err = gobuild.Run()
+	if *vendor {
+		err = gobuild.Vendor(flag.Args()[0])
+	} else {
+		err = gobuild.Run()
+	}
+
 	check(err)
 }

build-go/pkg/build.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 	"syscall"
 )
@@ -77,17 +78,33 @@ func (b *GoBuild) Run() error {
 		flags = append(flags, fmt.Sprintf("-ldflags=%s", ldflags))
 	}
 
-	// Set filename as last argument.
+	// Set filename and directory as last argument.
 	filename, err := b.generateOutputFilename()
 	if err != nil {
 		return err
 	}
-	flags = append(flags, []string{"-o", filename}...)
+	flags = append(flags, []string{"-o", filename, b.cfg.Dir}...)
 
 	fmt.Printf("::set-output name=go-binary-name::%s\n", filename)
 	return syscall.Exec(b.goc, flags, envs)
 }
 
+func (b *GoBuild) Vendor(releaser string) error {
+	// Set flags.
+	flags, err := b.generateVendorFlags()
+	if err != nil {
+		return err
+	}
+
+	// Change directory
+	realpath := filepath.Join(filepath.Dir(releaser), b.cfg.Dir)
+	if err := syscall.Chdir(realpath); err != nil {
+		return err
+	}
+
+	return syscall.Exec(b.goc, flags, nil)
+}
+
 func (b *GoBuild) generateEnvVariables() ([]string, error) {
 	env := os.Environ()
 
@@ -113,19 +130,19 @@ func (b *GoBuild) generateEnvVariables() ([]string, error) {
 	return env, nil
 }
 
-func (b *GoBuild) SetArgEnvVariables(envs string) error {
+func (b *GoBuild) SetArgEnvVariables(envs []string) error {
 	// Notes:
 	// - I've tried running the re-usable workflow in a step
 	// and set the env variable in a previous step, but found that a re-usable workflow is not
 	// allowed to run in a step; they have to run as `job.uses`. Using `job.env` with `job.uses`
 	// is not allowed.
 	// - We don't want to allow env variables set in the workflow because of injections
 	// e.g. LD_PRELOAD, etc.
-	if envs == "" {
+	if len(envs) == 0 {
 		return nil
 	}
 
-	for _, e := range strings.Split(envs, ",") {
+	for _, e := range envs {
 		s := strings.Trim(e, " ")
 
 		sp := strings.Split(s, ":")
@@ -185,6 +202,13 @@ func (b *GoBuild) generateFlags() ([]string, error) {
 	return flags, nil
 }
 
+func (b *GoBuild) generateVendorFlags() ([]string, error) {
+	// -x
+	flags := []string{b.goc, "mod", "vendor"}
+
+	return flags, nil
+}
+
 func isAllowedArg(arg string) bool {
 	for k, _ := range allowedBuildArgs {
 		if strings.HasPrefix(arg, k) {

build-go/pkg/build_test.go

@@ -287,15 +287,15 @@ func TestArgEnvVariables(t *testing.T) {
 
 	tests := []struct {
 		name     string
-		argEnv   string
+		argEnv   []string
 		expected struct {
 			err error
 			env map[string]string
 		}
 	}{
 		{
 			name:   "valid arg envs",
-			argEnv: "VAR1:value1, VAR2:value2",
+			argEnv: []string{"VAR1:value1", "VAR2:value2"},
 			expected: struct {
 				err error
 				env map[string]string
@@ -306,7 +306,7 @@ func TestArgEnvVariables(t *testing.T) {
 		},
 		{
 			name:   "empty arg envs",
-			argEnv: "",
+			argEnv: []string{},
 			expected: struct {
 				err error
 				env map[string]string
@@ -317,7 +317,7 @@ func TestArgEnvVariables(t *testing.T) {
 		},
 		{
 			name:   "valid arg envs not space",
-			argEnv: "VAR1:value1,VAR2:value2",
+			argEnv: []string{"VAR1:value1", "VAR2:value2"},
 			expected: struct {
 				err error
 				env map[string]string
@@ -328,7 +328,7 @@ func TestArgEnvVariables(t *testing.T) {
 		},
 		{
 			name:   "invalid arg empty 2 values",
-			argEnv: "VAR1:value1,",
+			argEnv: []string{"VAR1:value1", ""},
 			expected: struct {
 				err error
 				env map[string]string
@@ -338,7 +338,7 @@ func TestArgEnvVariables(t *testing.T) {
 		},
 		{
 			name:   "invalid arg empty 3 values",
-			argEnv: "VAR1:value1,, VAR3:value3",
+			argEnv: []string{"VAR1:value1", "", "VAR3:value3"},
 			expected: struct {
 				err error
 				env map[string]string
@@ -348,7 +348,7 @@ func TestArgEnvVariables(t *testing.T) {
 		},
 		{
 			name:   "invalid arg uses equal",
-			argEnv: "VAR1=value1",
+			argEnv: []string{"VAR1=value1"},
 			expected: struct {
 				err error
 				env map[string]string
@@ -358,7 +358,7 @@ func TestArgEnvVariables(t *testing.T) {
 		},
 		{
 			name:   "valid single arg",
-			argEnv: "VAR1:value1",
+			argEnv: []string{"VAR1:value1"},
 			expected: struct {
 				err error
 				env map[string]string
@@ -369,7 +369,7 @@ func TestArgEnvVariables(t *testing.T) {
 		},
 		{
 			name:   "invalid valid single arg with empty",
-			argEnv: "VAR1:value1:",
+			argEnv: []string{"VAR1:value1:"},
 			expected: struct {
 				err error
 				env map[string]string
@@ -527,7 +527,7 @@ func TestGenerateLdflags(t *testing.T) {
 
 	tests := []struct {
 		name     string
-		argEnv   string
+		argEnv   []string
 		ldflags  []string
 		expected struct {
 			err     error
@@ -536,7 +536,7 @@ func TestGenerateLdflags(t *testing.T) {
 	}{
 		{
 			name:    "version ldflags",
-			argEnv:  "VERSION_LDFLAGS:value1",
+			argEnv:  []string{"VERSION_LDFLAGS:value1"},
 			ldflags: []string{"{{ .Env.VERSION_LDFLAGS }}"},
 			expected: struct {
 				err     error
@@ -548,7 +548,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "one value with text",
-			argEnv:  "VAR1:value1, VAR2:value2",
+			argEnv:  []string{"VAR1:value1", "VAR2:value2"},
 			ldflags: []string{"name-{{ .Env.VAR1 }}"},
 			expected: struct {
 				err     error
@@ -560,7 +560,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "two values with text",
-			argEnv:  "VAR1:value1, VAR2:value2",
+			argEnv:  []string{"VAR1:value1", "VAR2:value2"},
 			ldflags: []string{"name-{{ .Env.VAR1 }}-{{ .Env.VAR2 }}"},
 			expected: struct {
 				err     error
@@ -572,7 +572,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "two values with text and not space between env",
-			argEnv:  "VAR1:value1,VAR2:value2",
+			argEnv:  []string{"VAR1:value1", "VAR2:value2"},
 			ldflags: []string{"name-{{ .Env.VAR1 }}-{{ .Env.VAR2 }}"},
 			expected: struct {
 				err     error
@@ -584,7 +584,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "same two values with text",
-			argEnv:  "VAR1:value1, VAR2:value2",
+			argEnv:  []string{"VAR1:value1", "VAR2:value2"},
 			ldflags: []string{"name-{{ .Env.VAR1 }}-{{ .Env.VAR1 }}"},
 			expected: struct {
 				err     error
@@ -596,7 +596,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "same value extremeties",
-			argEnv:  "VAR1:value1, VAR2:value2",
+			argEnv:  []string{"VAR1:value1", "VAR2:value2"},
 			ldflags: []string{"{{ .Env.VAR1 }}-name-{{ .Env.VAR1 }}"},
 			expected: struct {
 				err     error
@@ -608,7 +608,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "two different value extremeties",
-			argEnv:  "VAR1:value1, VAR2:value2",
+			argEnv:  []string{"VAR1:value1", "VAR2:value2"},
 			ldflags: []string{"{{ .Env.VAR1 }}-name-{{ .Env.VAR2 }}"},
 			expected: struct {
 				err     error
@@ -620,7 +620,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "undefined env variable",
-			argEnv:  "VAR2:value2",
+			argEnv:  []string{"VAR2:value2"},
 			ldflags: []string{"{{ .Env.VAR1 }}-name-{{ .Env.VAR1 }}"},
 			expected: struct {
 				err     error
@@ -631,7 +631,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "undefined env variable 1",
-			argEnv:  "VAR2:value2",
+			argEnv:  []string{"VAR2:value2"},
 			ldflags: []string{"{{ .Env.VAR2 }}-name-{{ .Env.VAR1 }}"},
 			expected: struct {
 				err     error
@@ -642,7 +642,7 @@ func TestGenerateLdflags(t *testing.T) {
 		},
 		{
 			name:    "empty env variable",
-			argEnv:  "",
+			argEnv:  []string{},
 			ldflags: []string{"{{ .Env.VAR1 }}-name-{{ .Env.VAR1 }}"},
 			expected: struct {
 				err     error