Skip to content

.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml #389

.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml

.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml #389

on:
schedule:
# Twice a month scheduled cron for rebuilding the base builder image.
- cron: "0 3 1,15 * *"
# Verify container-based workflow with the base builder image daily.
- cron: "0 3 * * *"
workflow_dispatch:
inputs:
trigger_build:
description: "Trigger a build"
required: false
default: false
type: boolean
permissions: read-all
concurrency: "e2e.container-based.schedule.main.gcp-workload-identity.slsa3"
env:
# TODO: Replace this token.
GH_TOKEN: ${{ secrets.E2E_CONTAINER_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
PROVENANCE_NAME: attestation.intoto
IMAGE_NAME: slsa-tooling/example-package-repo/e2e.container-based.schedule.main.gcp-workload-identity.slsa3
IMAGE_REGISTRY: us-west2-docker.pkg.dev
SERVICE_ACCOUNT: container-generator-user@slsa-tooling.iam.gserviceaccount.com
PROVIDER_NAME: projects/819720953812/locations/global/workloadIdentityPools/example-package-pool/providers/example-package-provider
jobs:
# Rebuild the base image
base-build:
runs-on: ubuntu-latest
if: inputs.trigger_build || (github.event_name == 'schedule' && github.event.schedule == '0 3 1,15 * *')
permissions:
contents: read # For reading repository contents.
packages: write # For writing container images.
id-token: write # For authenticating to Google Cloud Workload Identity
steps:
- id: auth
name: "Authenticate to Google Cloud"
uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0
with:
token_format: "access_token"
service_account: ${{ env.SERVICE_ACCOUNT }}
workload_identity_provider: ${{ env.PROVIDER_NAME }}
- name: Checkout the repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Authenticate Docker
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
id: build
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
base:
runs-on: ubuntu-latest
if: ${{ !inputs.trigger_build }}
permissions:
contents: read # For reading repository contents.
packages: write # For writing container images.
id-token: write # For authenticating to Google Cloud Workload Identity
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.image.outputs.digest }}
steps:
- id: auth
name: "Authenticate to Google Cloud"
uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0
with:
token_format: "access_token"
service_account: ${{ env.SERVICE_ACCOUNT }}
workload_identity_provider: ${{ env.PROVIDER_NAME }}
- name: Authenticate Docker
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Output image
id: image
run: |
# NOTE: We need to use the image and digest in order to make sure
# that the image we attest has not been modified.
full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
docker pull "${full_image_name}:main"
repo_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "${full_image_name}:main")
echo "$repo_digest"
{
echo "image=$full_image_name"
echo "digest=${repo_digest#*@}"
echo "service_account=${SERVICE_ACCOUNT}"
echo "provider_name=${PROVIDER_NAME}"
} >> "${GITHUB_OUTPUT}"
build:
permissions:
id-token: write # For signing
actions: read
contents: write # For asset uploads
needs: [base]
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@main
with:
builder-image: ${{ needs.base.outputs.image }}
builder-digest: ${{ needs.base.outputs.digest }}
config-path: ".github/configs-docker/app-config.toml"
provenance-name: attestation.intoto
compile-builder: true
verify:
runs-on: ubuntu-latest
needs: [base, build]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.build-outputs-name }}
path: outputs
- name: Get build artifact
id: build
run: |
name=$(find outputs/ -type f | head -1)
cp "${name}" .
echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}"
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.attestations-download-name }}
path: attestations
- name: Get attestation
id: att
env:
FOLDER: attestations
run: |
name=$(find "${FOLDER}"/ -type f | head -1)
cp "${name}" .
echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- env:
BINARY: ${{ steps.build.outputs.name }}
PROVENANCE: ${{ steps.att.outputs.name }}
run: ./.github/workflows/scripts/e2e.container-based.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [build, verify]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [build, verify]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh