ci: tests: build: Correct JSON data for predicate #66

Workflow file for this run

	name: Tests

	on:
	push:
	paths-ignore:
	- .github/workflows/release.yml
	pull_request:
	paths-ignore:
	- .github/workflows/release.yml

	jobs:
	build:
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	python-version:
	- "3.10"
	steps:
	- uses: actions/checkout@v2
	- name: Set up Python ${{ matrix.python-version }}
	uses: actions/setup-python@v2
	with:
	python-version: ${{ matrix.python-version }}
	- name: Get pip cache
	id: pip-cache
	run: \|
	python -c "from pip._internal.locations import USER_CACHE_DIR; print('::set-output name=dir::' + USER_CACHE_DIR)"
	- name: pip cache
	uses: actions/cache@v1
	with:
	path: ${{ steps.pip-cache.outputs.dir }}
	key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }}
	restore-keys: \|
	${{ runner.os }}-pip-
	- name: Install dev dependencies
	run: \|
	pip install -U pip setuptools wheel
	pip install -e .[dev]
	python -m pip freeze
	- name: Build
	run: \|
	python -m build .
	- name: Generate SBOM
	id: generate-sbom
	uses: pdxjohnny/sbom4python@github-action
	with:
	python-version: ${{ matrix.python-version }}
	module-name: httptest
	output-directory: sbom
	- name: in-toto attestation for cyclonedx SBOM
	id: in-toto-cyclonedx
	env:
	MODULE_NAME: httptest
	run: \|
	echo "attestation<<GITHUB_OUTPUT_EOF" >> $GITHUB_OUTPUT
	(python -m json.tool --sort-keys \| tee -a $GITHUB_OUTPUT) <<EOF
	{
	"_type": "https://in-toto.io/Statement/v0.1",
	"subject": [
	{
	"name": "$(cd dist/ && echo *.tar.gz)",
	"digest": {"sha256": "$(cd dist/ && sha256sum $(echo *.tar.gz) \| awk '{print $1}')"}
	},
	{
	"name": "$(cd dist/ && echo *.whl)",
	"digest": {"sha256": "$(cd dist/ && sha256sum $(echo *.whl) \| awk '{print $1}')"}
	}
	],
	"predicateType": "https://cyclonedx.org/bom/v1.4",
	"predicate": $(cat "${MODULE_NAME}-py${{ matrix.python-version }}.json")
	}
	EOF
	echo "GITHUB_OUTPUT_EOF" >> $GITHUB_OUTPUT
	- name: Checkout public-keys branch
	uses: actions/checkout@v4
	with:
	ref: public-keys
	path: public-keys
	- name: Generate keypair to sign SCITT statement
	id: scitt-gen-keypair
	run: \|
	ssh-keygen -q -f ssh-private -t ecdsa -b 384 -N '' -I "$(date -Iseconds)" <<<y
	cat ssh-private \| python -c 'import sys; from cryptography.hazmat.primitives import serialization; print(serialization.load_ssh_private_key(sys.stdin.buffer.read(), password=None).private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()).decode().rstrip())' > private-key.pem
	cat ssh-private.pub \| tee -a public-keys/authorized_keys
	rm -v ssh-private ssh-private.pub
	- name: Push new public key
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	set -xe
	cd public-keys
	gh auth setup-git
	git config --global --add safe.directory "${PWD}"
	git config --global user.email "actions@github.com"
	git config --global user.name "GitHub Actions"
	git add -A
	# If no delta clean exit
	git commit -sm "Snapshot" \|\| exit 0
	git push -uf origin "HEAD:public-keys"
	- name: Submit SBOM to SCITT
	id: scitt-submit-sbom
	uses: pdxjohnny/scitt-api-emulator@github-action
	with:
	issuer: did:web:raw.githubusercontent.com:pdxjohnny:httptest:public-keys:authorized_keys
	subject: pkg:github/${{ github.repository }}@${{ github.sha }}
	payload: ${{ steps.in-toto-cyclonedx.outputs.attestation }}
	private-key-pem: private-key.pem
	scitt-url: https://scitt.unstable.chadig.com
	- name: Remove private key used in keypair to sign SCITT statement
	run: \|
	rm -v private-key.pem
	- name: Create Pull Request
	if: ${{ steps.generate-sbom.outputs.changed }}
	uses: peter-evans/create-pull-request@v5.0.2
	with:
	commit-message: "chore: update SBOM for Python ${{ matrix.python-version }}"
	title: "chore: update SBOM for Python ${{ matrix.python-version }}"
	branch: chore-sbom-py${{ matrix.python-version }}
	delete-branch: true
	author: GitHub Actions <actions@github.com>
	add-paths: sbom

	unittest:
	runs-on: ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	os:
	- ubuntu-latest
	- macos-latest
	- windows-latest
	python-version:
	- "3.10"
	- "3.11"
	- "3.12"
	steps:
	- uses: actions/checkout@v2
	- name: Set up Python ${{ matrix.python-version }}
	uses: actions/setup-python@v2
	with:
	python-version: ${{ matrix.python-version }}
	- name: Get pip cache
	id: pip-cache
	run: \|
	python -c "from pip._internal.locations import USER_CACHE_DIR; print('::set-output name=dir::' + USER_CACHE_DIR)"
	- name: pip cache
	uses: actions/cache@v1
	with:
	path: ${{ steps.pip-cache.outputs.dir }}
	key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }}
	restore-keys: \|
	${{ runner.os }}-pip-
	- name: Install dev dependencies
	run: \|
	pip install -U pip setuptools wheel
	pip install -e .[dev]
	python -m pip freeze
	- name: Test without coverage
	if: ${{ matrix.python-version != '3.10' }}
	run: \|
	python -m unittest discover -v
	- name: Coverage Test
	if: ${{ matrix.python-version == '3.10' && matrix.os == 'ubuntu-latest' }}
	run: \|
	python -m coverage run -m unittest discover -v
	python -m coverage report -m
	- name: Upload coverage to codecov
	if: ${{ matrix.python-version == '3.10' && matrix.os == 'ubuntu-latest' }}
	env:
	CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
	run: \|
	pip install -U codecov
	codecov

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: tests: build: Correct JSON data for predicate #66

Workflow file

ci: tests: build: Correct JSON data for predicate #66

Jobs

Run details

Workflow file for this run