bazel-contrib
diff --git a/‎cosign/private/attest.bzl‎
Lines changed: 16 additions & 6 deletions b/‎cosign/private/attest.bzl‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎cosign/private/attest.sh.tpl‎
Lines changed: 9 additions & 3 deletions b/‎cosign/private/attest.sh.tpl‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎cosign/private/sign.bzl‎
Lines changed: 18 additions & 5 deletions b/‎cosign/private/sign.bzl‎
Lines changed: 18 additions & 5 deletions
diff --git a/‎cosign/private/sign.sh.tpl‎
Lines changed: 9 additions & 2 deletions b/‎cosign/private/sign.sh.tpl‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎docs/push.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/push.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/attest/BUILD.bazel‎
Lines changed: 40 additions & 0 deletions b/‎examples/attest/BUILD.bazel‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎examples/attest/test_attest_no_repo_fails.bash‎
Lines changed: 14 additions & 0 deletions b/‎examples/attest/test_attest_no_repo_fails.bash‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎examples/attest/test_attest_no_repo_passes.bash‎
Lines changed: 33 additions & 0 deletions b/‎examples/attest/test_attest_no_repo_passes.bash‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎examples/push/BUILD.bazel‎
Lines changed: 17 additions & 0 deletions b/‎examples/push/BUILD.bazel‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎examples/push/test.bash‎
Lines changed: 7 additions & 1 deletion b/‎examples/push/test.bash‎
Lines changed: 7 additions & 1 deletion
@@ -31,15 +31,25 @@ cosign_attest(
 ```
 
 via `bazel run :attest_spdx -- --repository=index.docker.io/org/test`
+
+You can also omit the `repository` attribute and provide it at runtime.
+```starlark
+cosign_attest(
+    name = "attest_no_repo",
+    image = ":image",
+    predicate = "image.sbom.spdx.json",
+    type = "spdx",
+)
+```
+Then run `bazel run :attest_no_repo -- --repository=index.docker.io/org/test`
 """
 
 _attrs = {
     "image": attr.label(allow_single_file = True, mandatory = True, doc = "Label to an oci_image"),
     "type": attr.string(values = ["slsaprovenance", "link", "spdx", "vuln", "custom"], mandatory = True, doc = "Type of predicate. Acceptable values are (slsaprovenance|link|spdx|vuln|custom)"),
     "predicate": attr.label(allow_single_file = True, mandatory = True, doc = "Label to the predicate file. Only files are allowed. eg: sbom.spdx, in-toto.json"),
-    "repository": attr.string(mandatory = True, doc = """\
-        Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`.
-        Digests and tags are not allowed.
+    "repository": attr.string(doc = """        Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`.
+        Digests and tags are not allowed. If this attribute is not set, the repository must be passed at runtime via the `--repository` flag.
     """),
     "_attest_sh_tpl": attr.label(default = "attest.sh.tpl", allow_single_file = True),
 }
@@ -48,17 +58,17 @@ def _cosign_attest_impl(ctx):
     cosign = ctx.toolchains["@rules_oci//cosign:toolchain_type"]
     jq = ctx.toolchains["@aspect_bazel_lib//lib:jq_toolchain_type"]
 
-    if ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1:
+    if ctx.attr.repository and (ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1):
         fail("repository attribute should not contain digest or tag.")
 
     fixed_args = [
-        "--repository",
-        ctx.attr.repository,
         "--predicate",
         ctx.file.predicate.short_path,
         "--type",
         ctx.attr.type,
     ]
+    if ctx.attr.repository:
+        fixed_args.extend(["--repository", ctx.attr.repository])
 
     executable = ctx.actions.declare_file("cosign_attest_{}.sh".format(ctx.label.name))
     ctx.actions.expand_template(
 
@@ -7,10 +7,11 @@ readonly IMAGE_DIR="{{image_dir}}"
 readonly DIGEST=$("${JQ}" -r '.manifests[].digest' "${IMAGE_DIR}/index.json")
 readonly FIXED_ARGS=({{fixed_args}})
 
-
 # set $@ to be FIXED_ARGS+$@
-ARGS=(${FIXED_ARGS[@]} $@)
-set -- ${ARGS[@]}
+ALL_ARGS=(${FIXED_ARGS[@]+"${FIXED_ARGS[@]}"} "$@")
+if [[ ${#ALL_ARGS[@]} -gt 0 ]]; then
+  set -- "${ALL_ARGS[@]}"
+fi
 
 REPOSITORY=""
 ARGS=()
@@ -23,5 +24,10 @@ while (( $# > 0 )); do
     esac
 done
 
+if [[ -z "${REPOSITORY}" ]]; then
+    echo "ERROR: repository not set. Please pass --repository flag or set the 'repository' attribute in the rule." >&2
+    exit 1
+fi
+
 exec "${COSIGN}" attest "${REPOSITORY}@${DIGEST}" ${ARGS[@]+"${ARGS[@]}"}
 
@@ -31,13 +31,21 @@ cosign_sign(
 ```
 
 run `bazel run :sign -- --repository=index.docker.io/org/test`
+
+You can also omit the `repository` attribute and provide it at runtime.
+```starlark
+cosign_sign(
+    name = "sign_no_repo",
+    image = ":image",
+)
+```
+Then run `bazel run :sign_no_repo -- --repository=index.docker.io/org/test`
 """
 
 _attrs = {
     "image": attr.label(allow_single_file = True, mandatory = True, doc = "Label to an oci_image"),
-    "repository": attr.string(mandatory = True, doc = """\
-        Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`.
-        Digests and tags are not allowed.
+    "repository": attr.string(doc = """        Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`.
+        Digests and tags are not allowed. If this attribute is not set, the repository must be passed at runtime via the `--repository` flag.
     """),
     "_sign_sh_tpl": attr.label(default = "sign.sh.tpl", allow_single_file = True),
 }
@@ -46,10 +54,15 @@ def _cosign_sign_impl(ctx):
     cosign = ctx.toolchains["@rules_oci//cosign:toolchain_type"]
     jq = ctx.toolchains["@aspect_bazel_lib//lib:jq_toolchain_type"]
 
-    if ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1:
+    if ctx.attr.repository and (ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1):
         fail("repository attribute should not contain digest or tag.")
 
     executable = ctx.actions.declare_file("cosign_sign_{}.sh".format(ctx.label.name))
+
+    fixed_args = []
+    if ctx.attr.repository:
+        fixed_args.extend(["--repository", ctx.attr.repository])
+
     ctx.actions.expand_template(
         template = ctx.file._sign_sh_tpl,
         output = executable,
@@ -58,7 +71,7 @@ def _cosign_sign_impl(ctx):
             "{{cosign_path}}": cosign.cosign_info.binary.short_path,
             "{{jq_path}}": jq.jqinfo.bin.short_path,
             "{{image_dir}}": ctx.file.image.short_path,
-            "{{fixed_args}}": " ".join(["--repository", ctx.attr.repository]),
+            "{{fixed_args}}": " ".join(fixed_args),
         },
     )
 
 
@@ -8,8 +8,10 @@ readonly DIGEST=$("${JQ}" -r '.manifests[].digest' "${IMAGE_DIR}/index.json")
 readonly FIXED_ARGS=({{fixed_args}})
 
 # set $@ to be FIXED_ARGS+$@
-ARGS=(${FIXED_ARGS[@]} $@)
-set -- ${ARGS[@]}
+ALL_ARGS=(${FIXED_ARGS[@]+"${FIXED_ARGS[@]}"} "$@")
+if [[ ${#ALL_ARGS[@]} -gt 0 ]]; then
+  set -- "${ALL_ARGS[@]}"
+fi
 
 REPOSITORY=""
 ARGS=()
@@ -22,5 +24,10 @@ while (( $# > 0 )); do
     esac
 done
 
+if [[ -z "${REPOSITORY}" ]]; then
+    echo "ERROR: repository not set. Please pass --repository flag or set the 'repository' attribute in the rule." >&2
+    exit 1
+fi
+
 exec "${COSIGN}" sign "${REPOSITORY}@${DIGEST}" ${ARGS[@]+"${ARGS[@]}"}
 
@@ -48,3 +48,43 @@ sh_test(
         "@jq_toolchains//:resolved_toolchain",
     ],
 )
+
+cosign_attest(
+    name = "attest_no_repo",
+    image = ":image",
+    predicate = ":sbom_generated.spdx",
+    type = "spdx",
+)
+
+sh_test(
+    name = "test_attest_no_repo_fails",
+    srcs = ["test_attest_no_repo_fails.bash"],
+    args = ["$(location :attest_no_repo)"],
+    data = [":attest_no_repo"],
+)
+
+sh_test(
+    name = "test_attest_no_repo_passes",
+    srcs = ["test_attest_no_repo_passes.bash"],
+    args = [
+        "$(JQ_BIN)",
+        "$(COSIGN_BIN)",
+        "$(CRANE_BIN)",
+        "$(location :attest_no_repo)",
+        "$(location :image)",
+        "$(location sbom.spdx)",
+    ],
+    data = [
+        "sbom.spdx",
+        ":attest_no_repo",
+        ":image",
+        "@jq_toolchains//:resolved_toolchain",
+        "@oci_cosign_toolchains//:current_toolchain",
+        "@oci_crane_toolchains//:current_toolchain",
+    ],
+    toolchains = [
+        "@oci_cosign_toolchains//:current_toolchain",
+        "@oci_crane_toolchains//:current_toolchain",
+        "@jq_toolchains//:resolved_toolchain",
+    ],
+)
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -o pipefail -o errexit -o nounset
+
+readonly IMAGE_ATTESTER="$1"
+
+# Run the cosign_attest target and check that it fails with the expected error message.
+if ! "$IMAGE_ATTESTER" &> output.txt; then
+  cat output.txt
+  grep "ERROR: repository not set. Please pass --repository flag or set the 'repository' attribute in the rule." output.txt
+else
+  echo "Expected cosign_attest to fail, but it succeeded."
+  exit 1
+fi
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -o pipefail -o errexit -o nounset
+
+readonly JQ="${1/external\//../}"
+readonly COSIGN="${2/external\//../}"
+readonly CRANE="${3/external\//../}"
+readonly ATTACHER_NO_REPO="$4"
+readonly IMAGE_PATH="$5"
+readonly SBOM_PATH="$6"
+
+# start a registry
+output=$(mktemp)
+$CRANE registry serve --address=localhost:0 >> "$output" 2>&1 &
+timeout=$((SECONDS+10))
+while [ "${SECONDS}" -lt "${timeout}" ]; do
+    port="$(sed -nr 's/.+serving on port ([0-9]+)/\1/p' < "$output")"
+    [ -n "${port}" ] && break
+done
+
+readonly REPOSITORY="localhost:$port/local" 
+
+# generate key
+COSIGN_PASSWORD=123 "${COSIGN}" generate-key-pair 
+
+REF=$("${CRANE}" push "${IMAGE_PATH}" "${REPOSITORY}")
+
+# attach the sbom
+COSIGN_PASSWORD=123 "${ATTACHER_NO_REPO}" --repository "${REPOSITORY}" --key=cosign.key -y
+
+# download the sbom
+"${COSIGN}" verify-attestation "$REF" --key=cosign.pub --type spdx | "${JQ}" -r '.payload' | base64 --decode | "${JQ}" -r '.predicate' > "$TEST_TMPDIR/download.sbom" 
+
+diff -u --ignore-space-change --strip-trailing-cr "$SBOM_PATH"  "$TEST_TMPDIR/download.sbom" || (echo "FAIL: downloaded SBOM does not match the original" && exit 1)
@@ -29,6 +29,12 @@ oci_push(
     repository = "index.docker.io/<ORG>/image",
 )
 
+oci_push(
+    name = "push_image_wo_repository",
+    image = ":image",
+    remote_tags = ["latest"],
+)
+
 oci_image_index(
     name = "image_index",
     images = [
@@ -87,15 +93,26 @@ sh_test(
         "$(location :push_image_index)",
         "$(location :push_image_repository_file)",
         "$(location :push_image_wo_tags)",
+        "$(location :push_image_wo_repository)",
     ],
     data = [
         ":push_image",
         ":push_image_index",
         ":push_image_repository_file",
         ":push_image_wo_tags",
+        ":push_image_wo_repository",
         "@oci_crane_toolchains//:current_toolchain",
     ],
     toolchains = [
         "@oci_crane_toolchains//:current_toolchain",
     ],
 )
+
+sh_test(
+    name = "test_push_image_wo_repository_fails",
+    srcs = ["test_push_image_wo_repository_fails.bash"],
+    args = ["$(location :push_image_wo_repository)"],
+    data = [
+        ":push_image_wo_repository",
+    ],
+)
@@ -6,6 +6,7 @@ readonly PUSH_IMAGE="$2"
 readonly PUSH_IMAGE_INDEX="$3"
 readonly PUSH_IMAGE_REPOSITORY_FILE="$4"
 readonly PUSH_IMAGE_WO_TAGS="$5"
+readonly PUSH_IMAGE_WO_REPOSITORY="$6"
 
 # start a registry
 output=$(mktemp)
@@ -54,4 +55,9 @@ if [ "${TAGS}" != "custom" ]; then
     echo "image is supposed to have custom tag but got"
     echo "${TAGS}"
     exit 1
-fi
+fi
+
+# should push image without repository with default tags
+REPOSITORY="${REGISTRY}/local-wo-repository"
+"${PUSH_IMAGE_WO_REPOSITORY}" --repository "${REPOSITORY}"
+"${CRANE}" digest "$REPOSITORY:latest"