Skip to main content

Build Type: Buildkite

This is a SLSA Provenance buildType that describes the execution of a Buildkite pipeline.

This build type was inspired by the GitHub Actions build type described here.

Description

"buildType": "https://docs.cimon.build/provenance/buildtypes/buildkite/v1"

The Buildkite build type describes the execution of a Buildkite CI/CD pipeline that builds a software artifact.

Build Definition

External parameters

All external parameters are REQUIRED unless empty.

ParameterTypeDescription
workflowobjectThe workflow that was run
workflow.namestringThe full name of the Buildkite pipeline
workflow.repositorystringURI of the git repository
workflow.refstringBranch name for the commit
jobobjectThe current job that was running in Buildkite
job.jobNamestringThe label that were given to the job (if exists)
job.jobIdstringThe current job id
buildobjectThe specific build that generated the provenance
build.buildRunstringThe build run ID
build.buildUrlstringThe full web URL for the build

Example:

"externalParameters": {
    "workflow": {
        "name": "cycode/cimon-tests",
        "repository": "https://github.com/MyOrg/MyRepo",
        "ref": "main"
    },
    "job": {
        "jobName": "Generate attestation",
        "jobId": "01925bce-4229-4de7-850e-85c5b836f035"
    },
    "build": {
        "buildRun": "7",
        "buildUrl": "https://buildkite.com/cycode/cimon-tests/builds/7"
    }
}

Internal parameters

All internal parameters are OPTIONAL.

The internal parameters contain the CI environment variables as they appear in the build. More info regarding Buildkite environment variables can be found here. This is how the internal parameters look for this type of build type:

"internalParameters": {
    "BUILDKITE_AGENT_ENDPOINT": "https://agent.buildkite.com/v3",
    "BUILDKITE_AGENT_ID": "0192533e-2074-48fc-aac5-d96b3b85eddd",
    "BUILDKITE_AGENT_META_DATA_QUEUE": "default-queue",
    "BUILDKITE_AGENT_NAME": "this-is-agent-name",
    "BUILDKITE_BRANCH": "feat/new-feature-branch-name",
    "BUILDKITE_BUILD_AUTHOR": "John Doe",
    "BUILDKITE_BUILD_AUTHOR_EMAIL": "john@doe.com",
    "BUILDKITE_BUILD_CREATOR": "John Doe",
    "BUILDKITE_BUILD_CREATOR_EMAIL": "john@doe.com",
    "BUILDKITE_BUILD_ID": "01925d08-bca1-4592-bdbb-e8a02bffea71",
    "BUILDKITE_BUILD_NUMBER": "640",
    "BUILDKITE_BUILD_URL": "https://buildkite.com/cycode/cimon-tests/builds/640",
    "BUILDKITE_CLUSTER_ID": "28df5fed-069a-48b6-a821-3f1ce096b2ff",
    "BUILDKITE_CLUSTER_NAME": "Default cluster",
    "BUILDKITE_COMMAND": "<contains the command that was executed>",
    "BUILDKITE_COMMIT": "9a470fc1c68e9eddcf65d8ebf71dab00a50dd46d",
    "BUILDKITE_COMPUTE_TYPE": "self-hosted",
    "BUILDKITE_JOB_ID": "01925d08-cfcd-4db1-80f5-ee4b7b4a8aae",
    "BUILDKITE_LABEL": "Generate attestation",
    "BUILDKITE_MESSAGE": "<contains the commit message>",
    "BUILDKITE_ORGANIZATION_ID": "0187e2ef-3b76-4c63-bee2-499754ca5ff1",
    "BUILDKITE_ORGANIZATION_SLUG": "cycode",
    "BUILDKITE_PIPELINE_DEFAULT_BRANCH": "main",
    "BUILDKITE_PIPELINE_ID": "018955a7-8adc-4e3f-83fc-0c5fb94714ab",
    "BUILDKITE_PIPELINE_NAME": "cimon-tests",
    "BUILDKITE_PIPELINE_PROVIDER": "github",
    "BUILDKITE_PIPELINE_SLUG": "cimon",
    "BUILDKITE_PULL_REQUEST": "1122",
    "BUILDKITE_PULL_REQUEST_BASE_BRANCH": "main",
    "BUILDKITE_REPO": "git@github.com:MyOrg/MyRepo.git",
    "BUILDKITE_RETRY_COUNT": "0",
    "BUILDKITE_SOURCE": "webhook",
    "BUILDKITE_STEP_ID": "01925d08-cf98-4eea-a2f0-ca610645ee3a"
}

Resolved Dependencies

The resolvedDependencies SHOULD contain an entry identifying the resolved git commit ID corresponding to externalParameters.workflow. The dependency's URI MUST be in SPDX Download Location format, i.e., "git+" + workflow.uri + "@" + workflow.ref.

"resolvedDependencies": [
    {
        "uri": "git+https://github.com/MyOrg/MyRepo@feat/new-feature-branch-name",
        "digest": {
            "gitCommit": "9a470fc1c68e9eddcf65d8ebf71dab00a50dd46d"
        },
        "annotations": {
            "signedStatus": "signed",
            "gpgKeyId": "B5690EEEBB952194"
        }
    }
]

Each referenced commit contains signing information as well. The signedStatus field will receive one of three values:

  • signed: Confirmed that the commit is signed. In that case, gpgKeyId will also be included. The GPG Key ID should look similar to the command output: git log --show-signature -s.
  • unsigned: Confirmed that the commit is not signed.
  • unknown: The commit signing information could not be verified.

Run Details

Builder

The builder.id MUST represent the entity that generated the provenance, as per the SLSA Provenance documentation. In the case of Buildkite, this represents the Buildkite entity that running the build, and the runner type. Based on this information, the provenance consumer can decide whether the build environment is secure enough to trust the produced attestation.

Example:

"builder": {
    "id": "https://buildkite.com/Attestations/BuildkiteBuild@self-hosted"
}

Metadata

The invocationId SHOULD be set to the Buildkite Job URL.

Example:

"metadata": {
    "invocationID": "https://buildkite.com/cycode/cimon-tests/builds/640#01925bce-4229-4de7-850e-85c5b836f035"
}