Record the vars context.

Records the GitHub vars context in the SLSA invocation in the generic,
container, and Go builders.

Signed-off-by: Ian Lewis <ianlewis@google.com>

Author: ianlewis

.github/workflows/builder_go_slsa3.yml

@@ -343,6 +343,7 @@ jobs:
           UNTRUSTED_ENV: "${{ needs.build-dry.outputs.go-env }}"
           UNTRUSTED_WORKING_DIR: "${{ needs.build-dry.outputs.go-working-dir }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
+          VARS_CONTEXT: "${{ toJSON(vars) }}"
         run: |
           set -euo pipefail
 

.github/workflows/generator_container_slsa3.yml

@@ -266,6 +266,7 @@ jobs:
           UNTRUSTED_IMAGE: "${{ inputs.image }}"
           UNTRUSTED_DIGEST: "${{ inputs.digest }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
+          VARS_CONTEXT: "${{ toJSON(vars) }}"
           UNTRUSTED_PROVENANCE_REPOSITORY: "${{ inputs.provenance-repository }}"
         run: |
           set -euo pipefail

.github/workflows/generator_generic_slsa3.yml

@@ -218,6 +218,7 @@ jobs:
         # See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
         env:
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
+          VARS_CONTEXT: "${{ toJSON(vars) }}"
           UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}"
         run: |
           set -euo pipefail

github/workflow.go

@@ -23,8 +23,26 @@ import (
 
 const (
 	githubContextEnvKey = "GITHUB_CONTEXT"
+	varsContextEnvKey   = "VARS_CONTEXT"
 )
 
+// VarsContext is the `vars` context.
+//
+// See: https://docs.github.com/en/actions/learn-github-actions/contexts#vars-context
+type VarsContext map[string]string
+
+// GetVarsContext returns the current GitHub Actions 'vars' context.
+func GetVarsContext() (VarsContext, error) {
+	v := VarsContext(make(map[string]string))
+	varsContext, ok := os.LookupEnv(varsContextEnvKey)
+	if !ok {
+		return v, fmt.Errorf("%s environment variable not set", varsContextEnvKey)
+	}
+
+	err := json.Unmarshal([]byte(varsContext), &v)
+	return v, err
+}
+
 // WorkflowContext is the `github` context given to workflows that contains
 // information about the GitHub Actions workflow run.
 //
@@ -70,7 +88,7 @@ func GetWorkflowContext() (WorkflowContext, error) {
 	w := WorkflowContext{}
 	ghContext, ok := os.LookupEnv(githubContextEnvKey)
 	if !ok {
-		return w, errors.New("GITHUB_CONTEXT environment variable not set")
+		return w, fmt.Errorf("%s environment variable not set", githubContextEnvKey)
 	}
 
 	err := json.Unmarshal([]byte(ghContext), &w)

internal/builders/container/generate.go

@@ -41,11 +41,14 @@ that it is being run in the context of a Github Actions workflow.`,
 			ghContext, err := github.GetWorkflowContext()
 			check(err)
 
+			varsContext, err := github.GetVarsContext()
+			check(err)
+
 			ctx := context.Background()
 
 			b := common.GenericBuild{
 				// NOTE: Subjects are nil because we are only writing the predicate.
-				GithubActionsBuild: slsa.NewGithubActionsBuild(nil, &ghContext),
+				GithubActionsBuild: slsa.NewGithubActionsBuild(nil, &ghContext, varsContext),
 				BuildTypeURI:       containerBuildType,
 			}
 

internal/builders/container/generate_test.go

@@ -35,6 +35,7 @@ func checkTest(t *testing.T) func(err error) {
 
 func Test_generateCmd_default_predicate(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -69,6 +70,7 @@ func Test_generateCmd_default_predicate(t *testing.T) {
 
 func Test_generateCmd_custom_predicate(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -104,6 +106,7 @@ func Test_generateCmd_custom_predicate(t *testing.T) {
 
 func Test_generateCmd_invalid_path(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()

internal/builders/generic/attest.go

@@ -51,6 +51,9 @@ run in the context of a Github Actions workflow.`,
 			ghContext, err := github.GetWorkflowContext()
 			check(err)
 
+			varsContext, err := github.GetVarsContext()
+			check(err)
+
 			subjectsBytes, err := utils.SafeReadFile(subjectsFilename)
 			check(err)
 			parsedSubjects, err := parseSubjects(string(subjectsBytes))
@@ -78,7 +81,7 @@ run in the context of a Github Actions workflow.`,
 			ctx := context.Background()
 
 			b := common.GenericBuild{
-				GithubActionsBuild: slsa.NewGithubActionsBuild(parsedSubjects, &ghContext),
+				GithubActionsBuild: slsa.NewGithubActionsBuild(parsedSubjects, &ghContext, varsContext),
 				BuildTypeURI:       provenanceOnlyBuildType,
 			}
 			if provider != nil {

internal/builders/generic/attest_test.go

@@ -223,6 +223,7 @@ func createTmpFile(content string) (string, error) {
 // Test_attestCmd tests the attest command.
 func Test_attestCmd_default_single_artifact(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -265,6 +266,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) {
 
 func Test_attestCmd_default_multi_artifact(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -309,6 +311,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  artifact2`)))
 
 func Test_attestCmd_custom_provenance_name(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -352,6 +355,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) {
 
 func Test_attestCmd_invalid_extension(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -405,6 +409,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) {
 
 func Test_attestCmd_invalid_path(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()
@@ -460,6 +465,7 @@ func Test_attestCmd_invalid_path(t *testing.T) {
 // subjects in subdirectories.
 func Test_attestCmd_subdirectory_artifact(t *testing.T) {
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 
 	// Change to temporary dir
 	currentDir, err := os.Getwd()

internal/builders/go/pkg/provenance.go

@@ -72,6 +72,11 @@ func GenerateProvenance(name, digest, command, envs, workingDir string,
 		return nil, err
 	}
 
+	vars, err := github.GetVarsContext()
+	if err != nil {
+		return nil, err
+	}
+
 	if _, err := hex.DecodeString(digest); err != nil || len(digest) != 64 {
 		return nil, fmt.Errorf("sha256 digest is not valid: %s", digest)
 	}
@@ -99,7 +104,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string,
 					"sha256": digest,
 				},
 			},
-		}, &gh),
+		}, &gh, vars),
 		buildConfig: buildConfig{
 			Version: buildConfigVersion,
 			Steps: []step{

internal/builders/go/pkg/provenance_test.go

@@ -26,6 +26,7 @@ func TestGenerateProvenance_withErr(t *testing.T) {
 	// TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove
 	t.Setenv("GITHUB_EVENT_NAME", "non_event")
 	t.Setenv("GITHUB_CONTEXT", "{}")
+	t.Setenv("VARS_CONTEXT", "{}")
 	sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2"
 	_, err := GenerateProvenance(
 		"foo", sha256, "", "", "/home/foo",