laurentsimon · Apr 12, 2022
diff --git a/‎.github/workflows/slsa3-builder.yml
+12-18 b/‎.github/workflows/slsa3-builder.yml
+12-18
diff --git a/‎go.mod
+205-4 b/‎go.mod
+205-4
diff --git a/‎go.sum
+3,024-3 b/‎go.sum
+3,024-3
diff --git a/‎main.go
+21-16 b/‎main.go
+21-16
diff --git a/‎pkg/build.go
+87-25 b/‎pkg/build.go
+87-25
@@ -135,9 +135,11 @@ jobs:
     needs: [builder]
     env:
       UNTRUSTED_ARGS: "${{ inputs.args }}"
+      UNTRUSTED_ENVS: "${{ inputs.envs }}"
       BUILDER_HASH: "${{ needs.builder.outputs.builder-sha256 }}"
     outputs:
       command: ${{ steps.build-dry.outputs.command }}
+      envs: ${{ steps.build-dry.outputs.envs }}
 
     steps:
       - name: Checkout the repository
@@ -176,9 +178,9 @@ jobs:
           
           # TODO: verify hash
           echo "running the builder $BUILDER_BINARY with hash $BUILDER_HASH"
-          echo ./"$BUILDER_BINARY" $UNTRUSTED_ARGS --dry-run
-          ./"$BUILDER_BINARY" $UNTRUSTED_ARGS --dry-run
-          echo "::set-output name=command::this is a command!"
+          echo ./"$BUILDER_BINARY" --dry-run --args "$UNTRUSTED_ARGS" --envs "$UNTRUSTED_ENVS"
+          # Note: this will print command and envs.
+          ./"$BUILDER_BINARY" --dry-run --args "$UNTRUSTED_ARGS" --envs "$UNTRUSTED_ENVS"
   
   ###################################################################
   #                                                                 #
@@ -276,13 +278,11 @@ jobs:
     env:
       UNTRUSTED_IMAGE: "${{ needs.build-release.outputs.image }}"
       UNTRUSTED_COMMAND: "${{ needs.build-dry.outputs.command }}"
+      UNTRUSTED_ENVS: "${{ needs.build-dry.outputs.envs }}"
       UNTRUSTED_PASSWORD: "${{ secrets.password }}"
       UNTRUSTED_USERNAME: "${{ inputs.username }}"
 
     steps:
-      - name: Checkout the repository
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.3.4
-        
       - name: Generate predicate
         id: gen-predicate
         env:
@@ -292,23 +292,17 @@ jobs:
           
           echo "image is: $UNTRUSTED_IMAGE"
           
-          echo "TODO: generate provenance dynamically"
-          echo "command: $UNTRUSTED_COMMAND"
-          
           #TODO: generate PROJECT dynamically using the URL
           # testing. Use a local file containing provenance.
           IMAGE_SHA256=$(echo $UNTRUSTED_IMAGE | cut -d "@" -f2 | cut -d ":" -f2)
-          IMAGE_PROVENANCE="predicate-sha256-$IMAGE_SHA256.json"
+          IMAGE_NAME=$(echo $UNTRUSTED_IMAGE | cut -d "@" -f1)
+                    
           
-          echo "provenance is: $IMAGE_PROVENANCE"
-          
-          export DATA="ewogICJidWlsZGVyIjogewogICAgImlkIjogImh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3ItZ28vLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGRlci55bWxAcmVmcy9oZWFkcy9tYWluIgogIH0sCiAgImJ1aWxkVHlwZSI6ICJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLWdvQHYxIiwKICAiaW52b2NhdGlvbiI6IHsKICAgICJjb25maWdTb3VyY2UiOiB7CiAgICAgICJ1cmkiOiAiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbWxhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0QHJlZnMvaGVhZHMvbWFpbi5naXQiLAogICAgICAiZGlnZXN0IjogewogICAgICAgICJzaGExIjogImQzZmQ5NDgyZTY4ZDI3NmU2OWMwYThiM2Y3ZWFhYmIzYjllNTY2OTUiCiAgICAgIH0sCiAgICAgICJlbnRyeVBvaW50IjogIlNMU0EgUmVsZWFzZSIKICAgIH0sCiAgICAicGFyYW1ldGVycyI6IHsKICAgICAgInZlcnNpb24iOiAxLAogICAgICAicmVmX3R5cGUiOiAiYnJhbmNoIiwKICAgICAgInJlZiI6ICJyZWZzL2hlYWRzL21haW4iLAogICAgICAiYmFzZV9yZWYiOiAiIiwKICAgICAgImhlYWRfcmVmIjogIiIsCiAgICAgICJhY3RvciI6ICJsYXVyZW50c2ltb24iLAogICAgICAic2hhMSI6ICJkM2ZkOTQ4MmU2OGQyNzZlNjljMGE4YjNmN2VhYWJiM2I5ZTU2Njk1IgogICAgfSwKICAgICJlbnZpcm9ubWVudCI6IHsKICAgICAgImFyY2giOiAiYW1kNjQiLAogICAgICAiZ2l0aHViX2V2ZW50X25hbWUiOiAid29ya2Zsb3dfZGlzcGF0Y2giLAogICAgICAiZ2l0aHViX3J1bl9hdHRlbXB0IjogIjEiLAogICAgICAiZ2l0aHViX3J1bl9pZCI6ICIyMDkwODQxMjYzIiwKICAgICAgImdpdGh1Yl9ydW5fbnVtYmVyIjogIjE4IiwKICAgICAgIm9zIjogInVidW50dSIKICAgIH0KICB9LAogICJidWlsZENvbmZpZyI6IHsKICAgICJ2ZXJzaW9uIjogMSwKICAgICJzdGVwcyI6IFsKICAgICAgewogICAgICAgICJjb21tYW5kIjogWwogICAgICAgICAgIi9vcHQvaG9zdGVkdG9vbGNhY2hlL2dvLzEuMTcuOC94NjQvYmluL2dvIiwKICAgICAgICAgICJidWlsZCIsCiAgICAgICAgICAiLW1vZD12ZW5kb3IiLAogICAgICAgICAgIi10cmltcGF0aCIsCiAgICAgICAgICAiLXRhZ3M9bmV0Z28iLAogICAgICAgICAgIi1vIiwKICAgICAgICAgICJiaW5hcnktbGludXgtYW1kNjQiCiAgICAgICAgXSwKICAgICAgICAiZW52IjogWwogICAgICAgICAgIkdPT1M9bGludXgiLAogICAgICAgICAgIkdPQVJDSD1hbWQ2NCIsCiAgICAgICAgICAiR08xMTFNT0RVTEU9b24iLAogICAgICAgICAgIkNHT19FTkFCTEVEPTAiCiAgICAgICAgXQogICAgICB9CiAgICBdCiAgfSwKICAibWF0ZXJpYWxzIjogWwogICAgewogICAgICAidXJpIjogImdpdCtsYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC5naXQiLAogICAgICAiZGlnZXN0IjogewogICAgICAgICJzaGExIjogImQzZmQ5NDgyZTY4ZDI3NmU2OWMwYThiM2Y3ZWFhYmIzYjllNTY2OTUiCiAgICAgIH0KICAgIH0KICBdCn0="
-          #echo "TODO: upload artifact"
-          UNTRUSTED_PROVENANCE_DATA=$(echo -n "$DATA" | base64 -d)
-          echo -n "$UNTRUSTED_PROVENANCE_DATA" > "$IMAGE_PROVENANCE"
-          
-          echo "::set-output name=filename::$IMAGE_PROVENANCE"
           echo "::set-output name=image::$UNTRUSTED_IMAGE"
+
+          ./"$BUILDER_BINARY" predicate --artifact-name "$IMAGE_NAME" \
+            --digest "$IMAGE_SHA256" --command "$UNTRUSTED_COMMAND" \
+            --env "$UNTRUSTED_ENVS"
           
       # Note: here we need packages permissions
       # TODO: here we may use each ecosystem's login action instead,
 
@@ -1,7 +1,208 @@
-module laurentsimon/slsa-github-generator-ko/builder
+module github.com/laurentsimon/slsa-github-generator-ko/builder
 
-go 1.18
+go 1.17
 
-require github.com/pborman/uuid v1.2.1
+require (
+	github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf
+	github.com/sigstore/cosign v1.7.2
+	github.com/sigstore/sigstore v1.2.1-0.20220401110139-0e610e39782f
+)
 
-require github.com/google/uuid v1.0.0 // indirect
+require (
+	cloud.google.com/go v0.100.2 // indirect
+	cloud.google.com/go/compute v1.5.0 // indirect
+	cloud.google.com/go/iam v0.3.0 // indirect
+	cloud.google.com/go/kms v1.4.0 // indirect
+	cloud.google.com/go/storage v1.22.0 // indirect
+	github.com/Azure/azure-sdk-for-go v63.0.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.25 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/PaesslerAG/gval v1.0.0 // indirect
+	github.com/PaesslerAG/jsonpath v0.1.1 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
+	github.com/armon/go-metrics v0.3.10 // indirect
+	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/aws/aws-sdk-go v1.43.30 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.9.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.10.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.15.0 // indirect
+	github.com/aws/smithy-go v1.11.0 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
+	github.com/coreos/go-oidc/v3 v3.1.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/docker/cli v20.10.12+incompatible // indirect
+	github.com/docker/distribution v2.8.0+incompatible // indirect
+	github.com/docker/docker v20.10.12+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/fatih/color v1.13.0 // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-logr/logr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.21.2 // indirect
+	github.com/go-openapi/errors v0.20.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.6 // indirect
+	github.com/go-openapi/loads v0.21.1 // indirect
+	github.com/go-openapi/runtime v0.23.3 // indirect
+	github.com/go-openapi/spec v0.20.4 // indirect
+	github.com/go-openapi/strfmt v0.21.2 // indirect
+	github.com/go-openapi/swag v0.21.1 // indirect
+	github.com/go-openapi/validate v0.21.0 // indirect
+	github.com/go-playground/locales v0.14.0 // indirect
+	github.com/go-playground/universal-translator v0.18.0 // indirect
+	github.com/go-playground/validator/v10 v10.10.0 // indirect
+	github.com/go-stack/stack v1.8.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.3.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 // indirect
+	github.com/google/go-github/v42 v42.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/trillian v1.4.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.2.0 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/googleapis/go-type-adapters v1.0.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.2.0 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-plugin v1.4.3 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.3 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/hashicorp/go-version v1.4.0 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/vault/api v1.5.0 // indirect
+	github.com/hashicorp/vault/sdk v0.4.1 // indirect
+	github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.14.2 // indirect
+	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/oklog/run v1.1.0 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.3.1 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect
+	github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/spf13/afero v1.8.0 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/cobra v1.4.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.10.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.0.0 // indirect
+	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
+	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
+	github.com/theupdateframework/go-tuf v0.0.0-20220211205608-f0c3294f63b9 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/xanzy/go-gitlab v0.62.0 // indirect
+	github.com/zeebo/errs v1.2.2 // indirect
+	go.mongodb.org/mongo-driver v1.8.3 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.7.0 // indirect
+	go.uber.org/zap v1.21.0 // indirect
+	golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
+	golang.org/x/net v0.0.0-20220325170049-de3da57026de // indirect
+	golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886 // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/api v0.74.0 // indirect
+	google.golang.org/genproto v0.0.0-20220405205423-9d709892a2bf // indirect
+	google.golang.org/grpc v1.45.0 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.66.2 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/api v0.23.5 // indirect
+	k8s.io/apimachinery v0.23.5 // indirect
+	k8s.io/client-go v0.23.5 // indirect
+	k8s.io/klog/v2 v2.60.1-0.20220317184644-43cc75f9ae89 // indirect
+	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf // indirect
+	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
+	knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2 // indirect
+	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	sigs.k8s.io/release-utils v0.6.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
@@ -15,18 +15,19 @@
 package main
 
 import (
+	"errors"
 	"flag"
 	"fmt"
+	"io/ioutil"
 	"os"
-	"os/exec"
 
 	"github.com/laurentsimon/slsa-github-generator-ko/builder/pkg"
 )
 
 func usage(p string) {
 	panic(fmt.Sprintf(`Usage: 
 	 %s build [--dry] --env $ENV
-	 %s predicate --binary-name $NAME --digest $DIGEST --command $COMMAND --env $ENV`, p, p))
+	 %s predicate --artifact-name $NAME --digest $DIGEST --command $COMMAND --env $ENV`, p, p))
 }
 
 func check(e error) {
@@ -38,15 +39,16 @@ func check(e error) {
 func main() {
 	// Build command.
 	buildCmd := flag.NewFlagSet("build", flag.ExitOnError)
-	buildDry := buildCmd.Bool("dry", false, "dry run of the build without invoking compiler")
-	buildEnv := buildCmd.String("env", "", "env variables used to compile the binary")
+	buildDry := buildCmd.Bool("dry", false, "dry run of the build without invoking ko")
+	buildEnv := buildCmd.String("env", "", "env variables for ko")
+	buildArgs := buildCmd.String("args", "", "arguments for ko")
 
 	// Predicate command.
 	predicateCmd := flag.NewFlagSet("predicate", flag.ExitOnError)
-	predicateName := predicateCmd.String("binary-name", "", "untrusted binary name of the artifact built")
-	predicateDigest := predicateCmd.String("digest", "", "sha256 digest of the untrusted binary")
-	predicateCommand := predicateCmd.String("command", "", "command used to compile the binary")
-	// predicateEnv := predicateCmd.String("env", "", "env variables used to compile the binary")
+	predicateName := predicateCmd.String("artifact-name", "", "untrusted artifact name")
+	predicateDigest := predicateCmd.String("digest", "", "sha256 digest of the artifact")
+	predicateCommand := predicateCmd.String("command", "", "command used to generate the artifact")
+	predicateEnv := predicateCmd.String("env", "", "env variables used to generate the artifact")
 
 	// Expect a sub-command.
 	if len(os.Args) < 2 {
@@ -56,15 +58,18 @@ func main() {
 	switch os.Args[1] {
 	case buildCmd.Name():
 		buildCmd.Parse(os.Args[2:])
-		if len(buildCmd.Args()) < 1 {
-			usage(os.Args[0])
-		}
 
-		ko, err := exec.LookPath("ko")
-		check(err)
+		// TODO: update
+		// ko, err := exec.LookPath("ko")
+		// check(err)
+		ko := "~/go/bin/ko"
 
 		kobuild := pkg.KoBuildNew(ko)
 
+		// Set arguments.
+		err := kobuild.SetArgs(*buildArgs)
+		check(err)
+
 		// Set env variables encoded as arguments.
 		err = kobuild.SetArgEnvVariables(*buildEnv)
 		check(err)
@@ -79,7 +84,7 @@ func main() {
 			usage(os.Args[0])
 		}
 
-		/*githubContext, ok := os.LookupEnv("GITHUB_CONTEXT")
+		githubContext, ok := os.LookupEnv("GITHUB_CONTEXT")
 		if !ok {
 			panic(errors.New("environment variable GITHUB_CONTEXT not present"))
 		}
@@ -92,8 +97,8 @@ func main() {
 		err = ioutil.WriteFile(filename, attBytes, 0600)
 		check(err)
 
-		fmt.Printf("::set-output name=signed-predicate-name::%s\n", filename)
-		*/
+		fmt.Printf("::set-output name=predicate::%s\n", filename)
+
 	default:
 		fmt.Println("expected 'build' or 'predicate' subcommands")
 		os.Exit(1)
 
@@ -15,6 +15,8 @@
 package pkg
 
 import (
+	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
@@ -29,43 +31,103 @@ var (
 	errorEmptyFilename             = errors.New("filename is not set")
 )
 
-// See `go build help`.
-// `-asmflags`, `-n`, `-mod`, `-installsuffix`, `-modfile`,
-// `-workfile`, `-overlay`, `-pkgdir`, `-toolexec`, `-o`,
-// `-modcacherw`, `-work` not supported for now.
-
-var allowedBuildArgs = map[string]bool{
-	"-a": true, "-race": true, "-msan": true, "-asan": true,
-	"-v": true, "-x": true, "-buildinfo": true,
-	"-buildmode": true, "-buildvcs": true, "-compiler": true,
-	"-gccgoflags": true, "-gcflags": true,
-	"-ldflags": true, "-linkshared": true,
-	"-tags": true, "-trimpath": true,
-}
-
-var allowedEnvVariablePrefix = map[string]bool{
-	"GO": true, "CGO_": true, "KO_": true,
-	"KIND_": true,
-}
-
 type KoBuild struct {
-	ko     string
-	argEnv map[string]string
+	ko   string
+	args []string
+	envs map[string]string
 }
 
 func KoBuildNew(ko string) *KoBuild {
 	c := KoBuild{
-		ko:     ko,
-		argEnv: make(map[string]string),
+		ko:   ko,
+		envs: make(map[string]string),
+		args: make([]string, 0),
 	}
 
 	return &c
 }
 
 func (b *KoBuild) Run(dry bool) error {
+	fmt.Println("Run")
+
+	command, err := b.generateCommandArgs()
+	if err != nil {
+		return err
+	}
+
+	// A dry run prints the information that is "trusted", before
+	// the compiler is invoked.
+	if dry {
+		// Share the arguments.
+		command, err := marshallList(command)
+		if err != nil {
+			return err
+		}
+		fmt.Printf("::set-output name=command::%s\n", command)
+
+		// Share the env variables.
+		env, err := b.generateCommandEnvVariables()
+		if err != nil {
+			return err
+		}
+		envs, err := marshallList(env)
+		if err != nil {
+			return err
+		}
+		fmt.Printf("::set-output name=envs::%s\n", envs)
+		return nil
+	}
+	return nil
+}
+
+func (b *KoBuild) SetArgs(args string) error {
+	if args == "" {
+		return nil
+	}
+
+	for _, arg := range strings.Split(args, " ") {
+		arg = strings.Trim(arg, " ")
+
+		fmt.Printf("arg: %s\n", arg)
+		b.args = append(b.args, arg)
+
+	}
 	return nil
 }
 
+func (b *KoBuild) generateCommandEnvVariables() ([]string, error) {
+	var env []string
+
+	// Set env variables from config file.
+	for k, v := range b.envs {
+		env = append(env, fmt.Sprintf("%s=%s", k, v))
+	}
+
+	return env, nil
+}
+
+func marshallList(args []string) (string, error) {
+	jsonData, err := json.Marshal(args)
+	if err != nil {
+		return "", fmt.Errorf("json.Marshal: %w", err)
+	}
+
+	encoded := base64.StdEncoding.EncodeToString(jsonData)
+	if err != nil {
+		return "", fmt.Errorf("base64.StdEncoding.DecodeString: %w", err)
+	}
+	return encoded, nil
+}
+
+func (b *KoBuild) generateCommandArgs() ([]string, error) {
+	flags := []string{b.ko, "publish"}
+
+	for _, v := range b.args {
+		flags = append(flags, v)
+	}
+	return flags, nil
+}
+
 func (b *KoBuild) SetArgEnvVariables(envs string) error {
 	if envs == "" {
 		return nil
@@ -74,15 +136,15 @@ func (b *KoBuild) SetArgEnvVariables(envs string) error {
 	for _, e := range strings.Split(envs, ",") {
 		s := strings.Trim(e, " ")
 
-		sp := strings.Split(s, ":")
+		sp := strings.Split(s, "=")
 		if len(sp) != 2 {
 			return fmt.Errorf("%w: %s", errorInvalidEnvArgument, s)
 		}
 		name := strings.Trim(sp[0], " ")
 		value := strings.Trim(sp[1], " ")
 
 		fmt.Printf("arg env: %s:%s\n", name, value)
-		b.argEnv[name] = value
+		b.envs[name] = value
 
 	}
 	return nil