.github/workflows/e2e.gcb.push.main.default.slsa3.yml #10666
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| schedule: | |
| # Twice a month scheduled cron for rebuilding. | |
| - cron: "0 3 1,15 * *" | |
| # Verify the last built image daily. | |
| - cron: "0 2 * * *" | |
| workflow_dispatch: | |
| inputs: | |
| trigger_build: | |
| description: "Trigger a build" | |
| required: false | |
| default: false | |
| type: boolean | |
| push: | |
| branches: [main] | |
| permissions: read-all | |
| concurrency: "e2e.gcb.push.main.default.slsa3" | |
| env: | |
| GH_TOKEN: ${{ secrets.E2E_CONTAINER_TOKEN }} | |
| ISSUE_REPOSITORY: slsa-framework/slsa-github-generator | |
| IMAGE_REGISTRY: us-west2-docker.pkg.dev | |
| # The IMAGE_NAME matches the substitution variable in the trigger configuration. | |
| IMAGE_NAME: slsa-tooling/example-package-repo/e2e-gcb-push-main-default-slsa3 | |
| jobs: | |
| # The push to the main branch on the file e2e/$THIS_FILE.txt will trigger a new build | |
| push: | |
| runs-on: ubuntu-latest | |
| if: (github.event_name == 'schedule' && github.event.schedule == '0 3 1,15 * *') || inputs.trigger_build | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-push.sh | |
| # Retrieve provenance of the latest build. | |
| provenance: | |
| if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && github.event.schedule == '0 2 * * *') | |
| permissions: | |
| id-token: write # For auth. | |
| outputs: | |
| image: ${{ steps.describe.outputs.image }} | |
| provenance-name: ${{ steps.describe.outputs.provenance-name }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - id: "auth" | |
| name: "Authenticate to Google Cloud" | |
| uses: "google-github-actions/auth@v2" | |
| with: | |
| workload_identity_provider: "projects/819720953812/locations/global/workloadIdentityPools/example-package-pool/providers/example-package-provider" | |
| service_account: "example-package-user@slsa-tooling.iam.gserviceaccount.com" | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200" # v2.1.0 | |
| - name: Retrieve the latest builds provenance | |
| id: describe | |
| run: | | |
| # Retrieve the build ID filtering by image name | |
| build_id=$(gcloud builds list --filter "results.images.name=${IMAGE_REGISTRY}/${IMAGE_NAME}" --region=us-west2 --project slsa-tooling --limit=1 --format="value(id)") | |
| echo "Found build with build id ${build_id}..." | |
| image_digest=$(gcloud builds describe "${build_id}" --project=slsa-tooling --region=us-west2 --format="value(results.images[0].digest)") | |
| echo "image=${IMAGE_REGISTRY}/${IMAGE_NAME}@${image_digest}" >> "${GITHUB_OUTPUT}" | |
| echo "Retrieved image digest ${image_digest}..." | |
| # Get latest builds provenance | |
| gcloud artifacts docker images describe "${IMAGE_REGISTRY}/${IMAGE_NAME}@${image_digest}" --show-provenance --format json > provenance.json | |
| echo "provenance-name=provenance.json" >> "${GITHUB_OUTPUT}" | |
| - name: Upload provenance | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: ${{ steps.describe.outputs.provenance-name }} | |
| path: ${{ steps.describe.outputs.provenance-name }} | |
| if-no-files-found: error | |
| retention-days: 5 | |
| # Verify the created provenance attestation: does not require the build job. | |
| verify: | |
| if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && github.event.schedule == '0 2 * * *') | |
| needs: provenance | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: "1.21" | |
| - env: | |
| CONTAINER: ${{ needs.provenance.outputs.image }} | |
| PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} | |
| run: ./.github/workflows/scripts/e2e.gcb.default.verify.sh | |
| if-succeeded: | |
| runs-on: ubuntu-latest | |
| needs: [provenance, verify] | |
| if: needs.provenance.result == 'success' && needs.verify.result == 'success' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-success.sh | |
| if-failed: | |
| runs-on: ubuntu-latest | |
| needs: [provenance, verify] | |
| if: always() && needs.provenance.result == 'failure' || needs.verify.result == 'failure' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-failure.sh |