Generic workflow/library

[laurentsimon]

In addition to the generic API we have, there is a need for a generic workflow that calls a CLI/API with:

1. A lock file -> the reusable workflow can generate an SBOM from it. Example builder generate-sbom -lock-file <lock-file>
2. A list of commands to vendor the dependencies and tarball them to be shared with the building VM (useful for hermetic builds). In Npm, the download part would be npm ci. Example: builder vendor -cmds "npm ci"
3. A list of commands to build. In Npm, this would be npm build or npm pack. Example: builder build -cmds "untar-deps, npm pack"
4. Provenance generation: we already have this part built. Example: builder generate-provenance <TODO>

/cc @lumjjb @bcoe @MarkLodato @ianlewis @asraa @joshuagl

[ianlewis]

Is the idea here is to better support ecosystem builders? or is this something meant to have its own reusable workflow where user specifies commands to be executed?

If the latter, I've been thinking that supporting a config yaml file in the repo root would be the best approach rather than having lots of inputs to the workflow that just get put on the command line.

[laurentsimon]

Is the idea here is to better support ecosystem builders?

yes, to help build a single reusable workflows that works across multiple ecosystems.

[joshuagl]

I like this a lot. A generic workflow and CLI will be enough to bootstrap many ecosystems. Where it is not, the CLI and generic workflow will make the phases and how to implement them much more concrete, as well as providing a building block for proof of concept.

I will start implementing a PoC this over the next week or so, focusing on supporting a Gradle project.
(I've assigned this Issue to me, lmk if anyone objects)

[laurentsimon]

An additional data point for ko https://github.com/laurentsimon/slsa-on-github-test/blob/main/.github/workflows/ko-caller.yml - I plan to move it to this repo soon

[ianlewis]

I think we can close this once we GA the generic workflow(s).

[ianlewis]

I'm going to just close this since there's nothing more to be done for this issue specifically. If we need something else let's create a new issue.