Skip to content

.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml #52

.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml

.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml #52

on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
inputs:
trigger_build:
description: "internal: do not check"
required: false
default: false
type: boolean
permissions: read-all
concurrency: "e2e.delegator-generic.workflow_dispatch.checkout.default.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
# File contains hello checkout
# https://github.com/slsa-framework/example-package/commit/aa526e30174c737361b33558a771e5f22dea3309
# At main, it contains only hello.
# WARNING: CHECKOUT_SHA1 value needs to be kept in sync with
# the builder call.
CHECKOUT_SHA1: aa526e30174c737361b33558a771e5f22dea3309
CHECKOUT_MESSAGE: "hello checkout"
jobs:
# Bootstrap
################################################################################
bootstrap:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)
permissions:
contents: write
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Bumps the package version pushes, creates a git tag, and pushes the tag.
- run: ./.github/workflows/scripts/e2e-bootstrap.sh
if-bootstrap-failed:
runs-on: ubuntu-latest
needs: [bootstrap]
if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-failure.sh
# Main workflow
################################################################################
# Shim determines if the rest of the workflow should run.
# NOTE: it should only use the `if` to determine this and all downstream jobs
# should depend on this job.
shim:
# NOTE: this must be kept in sync with the if-failed job.
if: github.event_name == 'workflow_dispatch' && inputs.trigger_build
runs-on: ubuntu-latest
steps:
- run: |
echo "event: ${GITHUB_EVENT_NAME}"
echo "ref: ${GITHUB_REF}"
build:
needs: [shim]
permissions:
id-token: write # For signing
contents: write # For asset uploads
packages: write # To write to github packages
actions: read
uses: slsa-framework/example-trw/.github/workflows/builder_high-perms-checkout_slsa3.yml@v0.0.1
with:
artifact: my-artifact
filename: delegator/e2e.delegator-generic.workflow_dispatch.main.checkout/build.txt
# WARNING: This value must be kept in sync with env variable CHECKOUT_SHA1
# defined at the top of the file.
commit-sha: aa526e30174c737361b33558a771e5f22dea3309
secrets:
# NOTE: this password is set to 'delegator-password'.
password: ${{ secrets.DELEGATOR_PASSWORD }}
verify:
runs-on: ubuntu-latest
needs: [build]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
with:
name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'.
- uses: slsa-framework/example-trw/high-perms-checkout/actions/download/attestation@v0.0.1
with:
name: "${{ needs.build.outputs.provenance-download-name }}"
sha256: "${{ needs.build.outputs.provenance-download-sha256 }}"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: "1.18"
- env:
BINARY: "${{ needs.build.outputs.artifact }}"
PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder.
BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_high-perms-checkout_slsa3.yml@v0.0.1"
run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [build, verify]
if: needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [build, verify]
if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success')
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-failure.sh