.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml #1536
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| schedule: | |
| - cron: "0 1 * * *" | |
| workflow_dispatch: | |
| permissions: read-all | |
| concurrency: "e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3" | |
| env: | |
| GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }} | |
| ISSUE_REPOSITORY: slsa-framework/slsa-github-generator | |
| # WARNING: update build job if CONFIG_FILE changes. | |
| CONFIG_FILE: .github/configs-go/config-ldflags.yml | |
| jobs: | |
| dispatch: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: write | |
| contents: write | |
| # WARNING: need `github.ref_name == 'main'` to avoid infinite loop when triggering manually. | |
| if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref_name == 'main') | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-dispatch.sh | |
| shim: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'workflow_dispatch' | |
| outputs: | |
| continue: ${{ steps.verify.outputs.continue }} | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - id: verify | |
| env: | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| set -euo pipefail | |
| this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) | |
| branch=$(echo "${this_file}" | cut -d '.' -f4) | |
| if [[ "${branch}" == "${REF_NAME}" ]]; then | |
| echo "continue=yes" >> "${GITHUB_OUTPUT}" | |
| fi | |
| args: | |
| needs: [shim] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.ldflags.outputs.version }} | |
| commit: ${{ steps.ldflags.outputs.commit }} | |
| branch: ${{ steps.ldflags.outputs.branch }} | |
| steps: | |
| - id: checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| fetch-depth: 0 | |
| - id: ldflags | |
| run: | | |
| set -euo pipefail | |
| this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) | |
| branch=$(echo "${this_file}" | cut -d '.' -f4) | |
| { | |
| echo "version=-X main.gitVersion=v1.2.3" | |
| echo "commit=-X main.gitCommit=abcdef" | |
| echo "branch=-X main.gitBranch=${branch}" | |
| } >> "${GITHUB_OUTPUT}" | |
| build: | |
| needs: [shim, args] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch' | |
| permissions: | |
| id-token: write # For signing. | |
| contents: write # For asset uploads. | |
| actions: read # For the entrypoint. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main | |
| with: | |
| go-version: "1.21" | |
| # We cannot use ${{ env.CONFIG_FILE }} because env variables are not available. | |
| config-file: .github/configs-go/config-ldflags.yml | |
| evaluated-envs: "VERSION:${{needs.args.outputs.version}},COMMIT:${{needs.args.outputs.commit}},BRANCH:${{needs.args.outputs.branch}}" | |
| compile-builder: true | |
| verify: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
| with: | |
| name: ${{ needs.build.outputs.go-binary-name }} | |
| - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
| with: | |
| name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: "1.21" | |
| - env: | |
| BINARY: ${{ needs.build.outputs.go-binary-name }} | |
| # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, | |
| # so we implictely verify that `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl = ${{ needs.build.outputs.go-provenance-name }}`. | |
| PROVENANCE: ${{ needs.build.outputs.go-provenance-name }} | |
| run: ./.github/workflows/scripts/e2e.go.default.verify.sh | |
| if-succeeded: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, verify] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.verify.result == 'success' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-success.sh | |
| if-failed: | |
| runs-on: ubuntu-latest | |
| needs: [build, verify] | |
| if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.verify.result == 'failure') | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-failure.sh |