tree: d6a8c7b56d805844fb10fc41436ce6a106a2da30 [path history] [tgz]
  1. README.md
provenance/slsa/buildType/v1/README.md

LUCI CIPD SLSA BuildType v1 spec

This file documents the format for SLSA v1 buildType for CIPD packages. The spec may be extended in the future.

Upstream values do not change regardless of usage.

This spec is written to aid LUCI developers to properly create their specifications. While the specification is written as JSON, if you can use the proto files from the In-ToTo protocol buffer definitions. The proto files have schemas that can be checked at compile-time (for statically checked langugages), while the JSON files are embedded text JSON within those protocol buffers that have no schema.

Statement

FieldDescriptionExample
_typeStatement type/version(From upstream) https://in-toto.io/Statement/v1
subjectSee SubjectSee Subject
predicateTypePredicate type/version(From upstream) https://slsa.dev/provenance/v1
predicateSee PredicateSee Predicate

Subject

Array containing one object:

FieldDescriptionExample
nameCIPD package namegit/linux-amd64
digest.sha1CIPD instance ID/SHA1 hash7fd1a60b01f91b314f59955a4e4d4e80d8edf11d

Predicate

FieldDescriptionExample
buildDefinitionSee Build DefinitionSee Build Definition
runDetailsSee Run DetailsSee Run Details

Build definition

FieldDescriptionExample
buildTypeLink to this documenthttps://chromium.googlesource.com/infra/luci/luci-go/+/refs/heads/main/provenance/slsa/buildType/v1
resolvedDependenciesSee Resolved DependenciesSee Resolved Dependencies
externalParameters.entryPointSource.uriLocation/version of recipe repository in SPDX v2.3 formatgit+https://fuchsia.googlesource.com/infra/recipes@ref/heads/main
externalParameters.entryPointSource.recipe_pathRecipe entry point (relative path from repository root)recipes.py

Resolved dependencies

This should follow the upstream spec.

This section MUST include the resolved entryPointSource, like so:

FieldDescriptionExample
nameStatic valueentryPointSource
uriLocation/version of recipe repository in SPDX v2.3 formatgit+https://fuchsia.googlesource.com/infra/recipes@ref/heads/main
digest.gitCommitExact Git commit hash that was resolved for the build7fd1a60b01f91b314f59955a4e4d4e80d8edf11d
annotations.commentStatic valueResolved from entryPointSource CIPD package

Run details

FieldDescriptionExample
builder.idChosen ID registered with BCID//bcid.corp.google.com/builders/luci/l2